[Dshield] incoming traffic from 192.168.0.1 ????
patv at monmouth.com
Thu Jul 26 22:43:04 GMT 2001
No, all the hardware routers/firewalls use different IP addresses, but
usually one in the 192.168.XX.XX range.
My guess is somewhat more involved. These may be spoofed address from
inside a network, for example, a local cable or DSL provider. These
addresses are sent out to test for potential vulnerabilities of hardware
routers/firewalls. If one just happens to respond, the hacker can then
sit on it and try to access different ports, try to see behind the
> [from ALEPH0 on another account:]
> Yes it could. But what is the expected exploit? It doesn't look like a
> bandwidth or cpu hitter. And as far as worms (like Bymer or Qaz) are
> concerned, the unroutable nature of the address inhibits its ability to
> process the information.
> Could be a new exploit (or one I am not considering) or a newbie trying
> a toy or a new C program he wrote. Targetting a linksys router (or
> would make sense with the spoofed address. Any ideas on what might be
> gained? Depending on the netmask, maybe arp corruption?
> Oh, saw the 192.168.1.1 address related from the manual. Is that
> for linksys? What about other vendors' products? The originator doent
> necessarily know what his target is.
This message was sent using MI-Webmail.
No matter where you are, never lose touch.
Get your Email using MI-Webmail.
More information about the list