[Dshield] incoming traffic from 192.168.0.1 ????

Coxe, John B. JOHN.B.COXE at saic.com
Thu Jul 26 19:40:51 GMT 2001


[from ALEPH0 on another account:]
Yes it could.  But what is the expected exploit?  It doesn't look like a big
bandwidth or cpu hitter.  And as far as worms (like Bymer or Qaz) are
concerned, the unroutable nature of the address inhibits its ability to
process the information.

Could be a new exploit (or one I am not considering) or a newbie trying out
a toy or a new C program he wrote.  Targetting a linksys router (or similar)
would make sense with the spoofed address.  Any ideas on what might be
gained?  Depending on the netmask, maybe arp corruption?

Oh, saw the 192.168.1.1 address related from the manual.  Is that universal
for linksys?  What about other vendors' products?  The originator doent
necessarily know what his target is.


-----Original Message-----
From: Jay Wren [mailto:JRWren at advnetworks.com]
Sent: Thursday, July 26, 2001 8:29 AM
To: 'dshield at dshield.org'
Subject: RE: [Dshield] incoming traffic from 192.168.0.1 ????


It could very well be a spoofed ip?

-J

-----Original Message-----
From: patv at monmouth.com [mailto:patv at monmouth.com] 
Sent: Thursday, July 26, 2001 11:30 AM
To: dshield at dshield.org
Subject: RE: [Dshield] incoming traffic from 192.168.0.1 ????


Don't be so quick on dismissing this.  The original email specifcally stated
that it isn't the ip for his lan.  Additionally, I've gotten scans from
reserved ip addresses before.  I don't know how it was done (although I have
some suspicions), but it is real.

Pat

> 192.168 is the range of reserved class C nets.  These are not routable
and
> are commonly used for private LANs that are generally masqueraded by 
> firewalls or proxy servers.  Check to see if this is not just the
internal
> interface address of your linksys.  I haven't used that product.  But
that
> would not surprise me.  In any event, there is no point worrying about 
> a threat from that address.  It is not routable on the 'net anyway.  
> BTW,
the
> reserved nets are 10.0.0.0 (class A), 172.16-31.0.0 (class Bs) and 
> 192.168.0-255.0 (class Cs).
> 
> -----Original Message-----
> From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
> Behalf Of airratt
> Sent: Tuesday, July 24, 2001 3:01 PM
> To: dshield at dshield.org
> Subject: Re: [Dshield] incoming traffic from 192.168.0.1 ????
> 
> 
> My dig of that IP 192.168.0.1 is :BLACKHOLE.ISI.EDU
> 
> 
> ----- Original Message -----
> From: "Marty Keane" <mkeane89 at pacbell.net>
> To: <dshield at dshield.org>
> Sent: Tuesday, July 24, 2001 3:49 PM
> Subject: [Dshield] incoming traffic from 192.168.0.1 ????
> 
> 
> > Hello all,
> >
> > I'm new to the list so I hope I'm on target with my question. I'm
using
> > the linksys
> > router with the latest firmware with a windows 98 machine. I just 
> > started logging my incoming traffic to the firewall and recently 
> > found something very disturbing. Hopefully there's a simple
> > explanation. Here are the entries AM (PST)
> >
> > remote addr
> > remote port                local port
> >
--------------------------------------------------------------------------
> --------------
> >
> > 11:26:51  (first three entries)
> >
> > 169.254.61.126
> > 137                            137
> > 192.168.0.1
> > 137                            137
> > adsl-64-160-96-149.dsl.bkfd14.pacbell.net
> > 137                            137
> >
> > 11:27:19 (remaining entries)
> >
> > 169.254.61.126
> > 137                            137
> > 192.168.0.1
> > 137                            137
> > adsl-64-160-96-149.dsl.bkfd14.pacbell.net
> > 137                            137
> > 192.168.0.1
> > 137                            137
> > 169.254.61.126
> > 137                            137
> >
> > My apologies if there is some other formal way of raising this 
> > issue, but the fact that it's an internal looking address has me 
> > concerned. I'm aware of the
net-bios
> > issue with windows
> > machines and I've cloaked my router. One last note is that 
> > 192.168.0.1 is neither my router's ip nor an ip of a machine on my 
> > LAN.
> >
> > Any insight would be greatly appreciated! Right now I've got my LAN
down
> > and I
> > am afraid to bring it up until I know what's going on :-/
> >
> >
> > Marty
> >
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
> http://www1.dshield.org/mailman/listinfo/dshield
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www1.dshield.org/mailman/listinfo/dshield
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield
> 


---------------------------------------------
This message was sent using MI-Webmail.
No matter where you are, never lose touch.
Get your Email using MI-Webmail.
http://www.monmouth.com/


_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield




More information about the list mailing list