[Dshield] incoming traffic from ????

patv@monmouth.com patv at monmouth.com
Thu Jul 26 22:43:04 GMT 2001

No, all the hardware routers/firewalls use different IP addresses, but
usually one in the 192.168.XX.XX range.

My guess is somewhat more involved.  These may be spoofed address from
inside a network, for example, a local cable or DSL provider.  These
addresses are sent out to test for potential vulnerabilities of hardware
routers/firewalls.  If one just happens to respond, the hacker can then
sit on it and try to access different ports, try to see behind the
firewall, etc.


> [from ALEPH0 on another account:]
> Yes it could.  But what is the expected exploit?  It doesn't look like a
> bandwidth or cpu hitter.  And as far as worms (like Bymer or Qaz) are
> concerned, the unroutable nature of the address inhibits its ability to
> process the information.
> Could be a new exploit (or one I am not considering) or a newbie trying
> a toy or a new C program he wrote.  Targetting a linksys router (or
> would make sense with the spoofed address.  Any ideas on what might be
> gained?  Depending on the netmask, maybe arp corruption?
> Oh, saw the address related from the manual.  Is that
> for linksys?  What about other vendors' products?  The originator doent
> necessarily know what his target is.

This message was sent using MI-Webmail.
No matter where you are, never lose touch.
Get your Email using MI-Webmail.

More information about the list mailing list