[Dshield] incoming traffic from 192.168.0.1 ????

Tom Geairn TGeairn at unxpres.com
Thu Jul 26 20:41:58 GMT 2001


Using the 192.168.x.x (or other unroutable addresses) is a common practice
for DOS or DDOS attacks.  It makes backtracking a little more difficult if
the apparent reply to address isn't valid.  

Also, the packet itself is a (albeit simple) denial of service...  Your box
will spend some time trying to reply or ACK the packet and you can end up
with enough pending ACKs that your box will slow or crash.  Configuring your
router to simply drop the packets is usually enough, though.

As always, if you are seeing a large volume of this traffic, contact your
ISP and ask them to drop the packets on their end.  Be a good neighbor and
configure your router to explicitly drop any outbound packets with
unroutable source or destination addresses too.  If everyone dumped these
junk packets before they left their networks we could free up some much
needed bandwidth!

There is one other possibility here for a potential worm or attack that you
overlooked.  What if you did have a machine on your internal network with an
address of 192.168.0.1?  Your router would ACK to that machine instead of
the original sender, possibly (if source routing is enabled?) sending the
foreign packet into your network.  Now you have your "supposedly" safe
machine that has an internal use only address getting hit by traffic caused
by someone outside your net.  I haven't played with this idea much, but I
suppose that if your router were doing some kinds of address translation it
could think this packet was right at home and translate it to something else
with similar effects.

-Tom

-----Original Message-----
From: Coxe, John B. [mailto:JOHN.B.COXE at saic.com]
Sent: Thursday, July 26, 2001 3:41 PM
To: 'dshield at dshield.org'
Subject: RE: [Dshield] incoming traffic from 192.168.0.1 ????


[from ALEPH0 on another account:]
Yes it could.  But what is the expected exploit?  It doesn't look like a big
bandwidth or cpu hitter.  And as far as worms (like Bymer or Qaz) are
concerned, the unroutable nature of the address inhibits its ability to
process the information.

Could be a new exploit (or one I am not considering) or a newbie trying out
a toy or a new C program he wrote.  Targetting a linksys router (or similar)
would make sense with the spoofed address.  Any ideas on what might be
gained?  Depending on the netmask, maybe arp corruption?

Oh, saw the 192.168.1.1 address related from the manual.  Is that universal
for linksys?  What about other vendors' products?  The originator doent
necessarily know what his target is.


-----Original Message-----
From: Jay Wren [mailto:JRWren at advnetworks.com]
Sent: Thursday, July 26, 2001 8:29 AM
To: 'dshield at dshield.org'
Subject: RE: [Dshield] incoming traffic from 192.168.0.1 ????


It could very well be a spoofed ip?

-J

-----Original Message-----
From: patv at monmouth.com [mailto:patv at monmouth.com] 
Sent: Thursday, July 26, 2001 11:30 AM
To: dshield at dshield.org
Subject: RE: [Dshield] incoming traffic from 192.168.0.1 ????


Don't be so quick on dismissing this.  The original email specifcally stated
that it isn't the ip for his lan.  Additionally, I've gotten scans from
reserved ip addresses before.  I don't know how it was done (although I have
some suspicions), but it is real.

Pat

> 192.168 is the range of reserved class C nets.  These are not routable
and
> are commonly used for private LANs that are generally masqueraded by 
> firewalls or proxy servers.  Check to see if this is not just the
internal
> interface address of your linksys.  I haven't used that product.  But
that
> would not surprise me.  In any event, there is no point worrying about 
> a threat from that address.  It is not routable on the 'net anyway.  
> BTW,
the
> reserved nets are 10.0.0.0 (class A), 172.16-31.0.0 (class Bs) and 
> 192.168.0-255.0 (class Cs).
> 
> -----Original Message-----
> From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
> Behalf Of airratt
> Sent: Tuesday, July 24, 2001 3:01 PM
> To: dshield at dshield.org
> Subject: Re: [Dshield] incoming traffic from 192.168.0.1 ????
> 
> 
> My dig of that IP 192.168.0.1 is :BLACKHOLE.ISI.EDU
> 
> 
> ----- Original Message -----
> From: "Marty Keane" <mkeane89 at pacbell.net>
> To: <dshield at dshield.org>
> Sent: Tuesday, July 24, 2001 3:49 PM
> Subject: [Dshield] incoming traffic from 192.168.0.1 ????
> 
> 
> > Hello all,
> >
> > I'm new to the list so I hope I'm on target with my question. I'm
using
> > the linksys
> > router with the latest firmware with a windows 98 machine. I just 
> > started logging my incoming traffic to the firewall and recently 
> > found something very disturbing. Hopefully there's a simple
> > explanation. Here are the entries AM (PST)
> >
> > remote addr
> > remote port                local port
> >
--------------------------------------------------------------------------
> --------------
> >
> > 11:26:51  (first three entries)
> >
> > 169.254.61.126
> > 137                            137
> > 192.168.0.1
> > 137                            137
> > adsl-64-160-96-149.dsl.bkfd14.pacbell.net
> > 137                            137
> >
> > 11:27:19 (remaining entries)
> >
> > 169.254.61.126
> > 137                            137
> > 192.168.0.1
> > 137                            137
> > adsl-64-160-96-149.dsl.bkfd14.pacbell.net
> > 137                            137
> > 192.168.0.1
> > 137                            137
> > 169.254.61.126
> > 137                            137
> >
> > My apologies if there is some other formal way of raising this 
> > issue, but the fact that it's an internal looking address has me 
> > concerned. I'm aware of the
net-bios
> > issue with windows
> > machines and I've cloaked my router. One last note is that 
> > 192.168.0.1 is neither my router's ip nor an ip of a machine on my 
> > LAN.
> >
> > Any insight would be greatly appreciated! Right now I've got my LAN
down
> > and I
> > am afraid to bring it up until I know what's going on :-/
> >
> >
> > Marty
> >
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
> http://www1.dshield.org/mailman/listinfo/dshield
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www1.dshield.org/mailman/listinfo/dshield
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield
> 


---------------------------------------------
This message was sent using MI-Webmail.
No matter where you are, never lose touch.
Get your Email using MI-Webmail.
http://www.monmouth.com/


_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield




More information about the list mailing list