[Dshield] incoming traffic from 192.168.0.1 ????

patv@monmouth.com patv at monmouth.com
Thu Jul 26 22:43:04 GMT 2001


No, all the hardware routers/firewalls use different IP addresses, but
usually one in the 192.168.XX.XX range.

My guess is somewhat more involved.  These may be spoofed address from
inside a network, for example, a local cable or DSL provider.  These
addresses are sent out to test for potential vulnerabilities of hardware
routers/firewalls.  If one just happens to respond, the hacker can then
sit on it and try to access different ports, try to see behind the
firewall, etc.

Pat

> [from ALEPH0 on another account:]
> Yes it could.  But what is the expected exploit?  It doesn't look like a
big
> bandwidth or cpu hitter.  And as far as worms (like Bymer or Qaz) are
> concerned, the unroutable nature of the address inhibits its ability to
> process the information.
> 
> Could be a new exploit (or one I am not considering) or a newbie trying
out
> a toy or a new C program he wrote.  Targetting a linksys router (or
similar)
> would make sense with the spoofed address.  Any ideas on what might be
> gained?  Depending on the netmask, maybe arp corruption?
> 
> Oh, saw the 192.168.1.1 address related from the manual.  Is that
universal
> for linksys?  What about other vendors' products?  The originator doent
> necessarily know what his target is.
>

---------------------------------------------
This message was sent using MI-Webmail.
No matter where you are, never lose touch.
Get your Email using MI-Webmail.
http://www.monmouth.com/





More information about the list mailing list