[Dshield] Private IP addresses
bob at eng.ufl.edu
Fri Jul 27 13:27:58 GMT 2001
> My ISP doesn't bother to block 192.168 addresses on their own network, and if
> I forget to shut down my dial up and run Nmap against 192.168.0.2, (my
> Intranet webserver address), I get a look at their Colon Link server.
> Experience tells me it's a waste of time to tell them about it, but I do have
> a few concerns for their level of security.
Many DSL providers route at least some private addresses within their
networks, and they use them for various purposes. E.G. some give their
routers private IP numbers, even though that seems to violate the RFC.
I assume other large ISPs may do this as well. 192.168.0 and
192.168.1 would be particularly poor blocks to route internally,
though, because they are so widely used as defaults by stuff that
expects them to not be routed. The ISPs I've seen do it were using
10.x.x.x address blocks, which makes more sense.
Also, some of them do internal security scanning from hosts with
private IP numbers. If so, they will normally tell you if you
complain, i.e. send their abuse department a complaint that you are
seeing attacks from 192.168.0.1, and they may tell you that it's them,
don't worry about it.
Any properly run network, even if it routes some private IPs, will
provide a number of non-routed "link local" address blocks for
people who set up NATed home networks. That way you can set
up your own firewall and expect that you won't see your internal
addresses showing up on the wrong side of your firewall (although
you should still configure your firewall to assume it could happen).
If your provider does not / can not provide you with such a link
local address block, you should seriously consider politely
informing them that they are too incompetent for your taste, and
that you will be looking for a different provider.
Also, the 169.254 address space is a link local block that is mainly
used by DHCP clients that cannot find a DHCP server. As a last resort,
they issue themselves a random number from the 169.254 space. Recent
versions of Windows and the Mac OS do this. It lets you plug a bunch
of computers into a bunch of cable and create a LAN without any
configuration at all. They will all end up on the same address space
and will be able to talk to each other, even though they can't reach
the outside world. You could configure your home network to use
this space (that's perfectly legitimate: it's what that block is for),
unless your ISP is so incompetent that they even route that address
block -- and it appears that some do.
The 169.254 address space should not be routed at all, not even
internally within a network. So anyone seeing packets from that
address space should be able to assume that someone has installed
a new computer on their LAN, and it was unable to find a DHCP
server. If you are seeing 169.254 addresses coming from outside your
personal LAN, your ISP is running a broken (and insecure) network.
> Just another day in Paradise.
More information about the list