RE: Odd entries in my Security Router logs

From: David Gillett <gillettdavid(at)fhda.edu>
Date: Wed Dec 11 2002 - 15:59:12 EST

  While RFC1918 addresses should not be reachable over the public portions of the Internet, VERY few routers are configured to discard traffic which shows them (or any other bogus/impossible value) as a source. In general, routing and filtering look only at the destination address.
  Since these are not supposed to be valid destinations, it should not be possible to complete a TCP three-way handshake and establish a session with them over the Internet. However, this point is moot if the purpose of a packet is to do its damage without such a session, either by crafting of the initial SYN TCP packet, or using some connectionless protocol.

  Reality, therefore, is that packets from these source addresses are seen on the public Internet, and that any router/firewall/gateway at a security perimeter should drop them.
  Further detailed examination of these packets is left as an exercise for admins with spare time.

Dave Gillett

> -----Original Message-----
> From: Michael Sierchio [mailto:kudzu@tenebras.com]
> Sent: Wednesday, December 11, 2002 10:09 AM
> To: Andrews, Jonathan (US - Hermitage)
> Cc: 'Julian Young'; incidents@securityfocus.com
> Subject: Re: Odd entries in my Security Router logs
>
>
> Andrews, Jonathan (US - Hermitage) wrote:
>
> > 192.168.0.0/16 is a privately addressed netblock. These

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Wed Dec 11 17:09:13 2002