[Dshield] Private IP addresses

Bob Johnson bob at eng.ufl.edu
Fri Jul 27 13:27:58 GMT 2001

Hank wrote:
> My ISP doesn't bother to block 192.168 addresses on their own network, and if
> I forget to shut down my dial up and run Nmap against, (my
> Intranet webserver address), I get a look at their Colon Link server.
> Experience tells me it's a waste of time to tell them about it, but I do have
> a few concerns for their level of security.

Many DSL providers route at least some private addresses within their 
networks, and they use them for various purposes.  E.G. some give their 
routers private IP numbers, even though that seems to violate the RFC. 
I assume other large ISPs may do this as well.  192.168.0 and 
192.168.1 would be particularly poor blocks to route internally, 
though, because they are so widely used as defaults by stuff that 
expects them to not be routed.  The ISPs I've seen do it were using 
10.x.x.x address blocks, which makes more sense.

Also, some of them do internal security scanning from hosts with 
private IP numbers.  If so, they will normally tell you if you 
complain, i.e. send their abuse department a complaint that you are 
seeing attacks from, and they may tell you that it's them, 
don't worry about it.  

Any properly run network, even if it routes some private IPs, will 
provide a number of non-routed "link local" address blocks for 
people who set up NATed home networks.  That way you can set 
up your own firewall and expect that you won't see your internal 
addresses showing up on the wrong side of your firewall (although 
you should still configure your firewall to assume it could happen).  
If your provider does not / can not provide you with such a link 
local address block, you should seriously consider politely 
informing them that they are too incompetent for your taste, and 
that you will be looking for a different provider.

Also, the 169.254 address space is a link local block that is mainly 
used by DHCP clients that cannot find a DHCP server.  As a last resort, 
they issue themselves a random number from the 169.254 space.  Recent 
versions of Windows and the Mac OS do this.  It lets you plug a bunch 
of computers into a bunch of cable and create a LAN without any 
configuration at all.  They will all end up on the same address space 
and will be able to talk to each other, even though they can't reach 
the outside world.   You could configure your home network to use 
this space (that's perfectly legitimate: it's what that block is for), 
unless your ISP is so incompetent that they even route that address 
block -- and it appears that some do.

The 169.254 address space should not be routed at all, not even 
internally within a network.  So anyone seeing packets from that 
address space should be able to assume that someone has installed 
a new computer on their LAN, and it was unable to find a DHCP 
server.  If you are seeing 169.254 addresses coming from outside your 
personal LAN, your ISP is running a broken (and insecure) network.

- Bob

> Hank
> --
> Just another day in Paradise.

More information about the list mailing list