RE: Ip spoof from 0.0.0.0

        This is the first I heard of anybody maintaining a "bogus IP" list, and on the surface it seems like it ought to be quite worthwhile. So I went and checked out the site.

        Perhaps I'm missing something, but as I look at the site, what I see are:

        (a) A list of most of the Class A addresses -- 75 of the 126 possible.

                It would seem easier to identify those Class A networks that are live

                most of them likely to be large ISPs, and expressly permit those

                networks, rather than try to block a list of 75 -- the list of 51

                issued blocks can be consolidated into 13 CIDR table entries. The

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

                aggregated list of blocked networks requires 23 CIDR entries.

                Also, it would appear that this list does not include NAT/firewalled

                networks, which /also/ should never originate any inbound traffic.

        (b) No Class B addresses -- of course all of them have been issued, but many

                of them are buried behind firewalls, and some of them were never actually

                connected to the Internet -- issued before commercial access was possible.

        (c) These few Class C blocks -- and except for the first one, are probably short lived on the list

                as they're surely to be issued to somebody pretty quickly.

		192.0.2.0/24
		197.0.0.0/8
		198.18.0.0/15
		201.0.0.0/8

	The remainder of those listed are the IANA private networks.

	169.254.0.0/16
	172.16.0.0/12
	192.168.0.0/16

	and the loopback network

	127.0.0.0/8  -- which I'm not sure should ever be configured to be
ignored
				as it would be somewhat difficult to ping

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

        So.. with the list as short as it is ... I fear I'm missing the point of publishing and maintaining the list. As I understand the purpose of the list is to identify networks that traffic should /never/ originate from. But from a security perspective, the list is definitely incomplete, as it appears to not consider issued but never-to-be-connected blocks of addresses, such as those behind NAT/firewalls or never connected at all. It would seem those networks are the most likely to be source addresses used for spoofing attacks, rather than those known to not be issued.

        Somebody please enlighten me if I've missed something significant.

        Thanks!

-----Original Message-----
From: Jason Robertson [mailto:jason@ifuture.com] Sent: Thursday, November 07, 2002 9:17 PM To: Nexus; incidents@securityfocus.com
Cc: incidents@securityfocus.com
Subject: Re: Ip spoof from 0.0.0.0

For all of you who want the list of bogus IP's

http://www.cymru.com/Documents/bogon-list.html

As for 0.0.0.0, it is used for DHCP, but it shouldn't go beyond your gateway, or anyone elses.

Also the addressing is usually 0.0.0.0 -> 255.255.255.255 67 At least on our network at work...

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

On 6 Nov 2002 at 23:53, Nexus wrote:

From:           	"Nexus" 
To:             	"Frank Cheong" ,
	"Paul Gillingwater" 
Copies to:      	
Subject:        	Re: Ip spoof from 0.0.0.0
Date sent:      	Wed, 6 Nov 2002 23:53:10 -0000

>
> ----- Original Message -----
>

--
Jason Robertson                
Now at the Nation Research Council.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com