[Dshield] Spam Problem - RFC1918 Comment

Jon R. Kibler Jon.Kibler at aset.com
Mon Jan 12 22:00:41 GMT 2004

Please see embedded comments.

David Sentelle wrote:
> The important thing to note with RFC1918 traffic is that the RFC states
> these are 'non-routable' addresses.  

Non-routable on the Internet. Your ISP's network is NOT the Internet.

<SNIP!> My ISP does route them inside their own network, and I
> frequently see traffic hitting our external interface from RFC1918
> addresses.

Two issues here.
1) Again, private address space can route on any private network -- such as your ISPs network.
2) It is common to see incoming traffic originating from private address space, even on direct connections to the Internet. Why? Two reasons:
   a) A lot of private networks are leaky and these addresses end up on the Internet when they should have been blocked by the source's firewall or NAT device. (Search the archives for my posting last year on blocking such traffic.)
   b) Various miscreants use RFC 1918 addresses to initiate DOS/DDOS attacks because the are almost impossible to trace to their real source. They also use other reserved or unallocated addresses because few firewalls block such addresses. (Again, find my old posting for more details.)

> It is my understanding that they do this so their internal equipment
> doesn't take up address space.  

Does not use GLOBAL address space. It still takes up PRIVATE address space.

> Whatever the case, don't rely on RFCs
> (or ISPs) to keep out non-routeable traffic.

Nothing in the RFCs says they should. (I would argue that ISPs should block all bogus traffic, but this group has already had that discussion MANY times, and let's not rehash it again now.) All the RFCs say is that anyone is free to use those addresses on their private network, but systems on the Internet cannot connect to systems with private addresses because their is no way to route data to a non-unique address.

> I know there's people much more knowledgeable than me on this list.
> (Why else would I subscribe?)   I'm sure (consider it an invitation) one
> of them will correct me on whatever I've screwed up in what little I've
> said here.  I'm just regurgitating what I was told by my ISP's support
> staff when I was asking why I saw this RFC1918 traffic hitting our
> external interface.  (traffic which wasn't spoofed because I could
> connect to the addresses)

Again, the addresses are valid on a private network -- your ISPs network. Some ISPs (esp those still running dial-up connections) use private address space for ALL their DHCP-ed users and simply NAT/PAT it for connections to resources not on the ISP's private network.

Hope things a little clearer now...

Jon R. Kibler
A.S.E.T., Inc.
Charleston, SC  USA

Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.

More information about the list mailing list