[Dshield] routing 192.168...?

Daniel Cherton dcherton at aei.ca
Mon May 2 04:09:56 GMT 2005


Hi Chris,

I know that the source is not use for routing but I thought that private 
addresses are suppose to be block by ISPs.
Not mandatory but, they should. After all an ISP could use that address 
on their own private network ?
How can I check the TTL ?  It append 28 times today. For me the source 
become that private address, no routing possible.
My fisrt line is a router/firewall, everything is block, I then have 
ZoneAlarm  in every machine.

Daniel

Chris Brenton wrote:

>On Sat, 2005-04-23 at 18:12, Daniel Cherton wrote:
>  
>
>>Apr/22/2005 15:31:12
>> Ping of Death Detect src:192.168.1.10:2961 dst:my-internet-ip:42617 Packet Dropped
>>
>>
>>anybody knows how that is possible ? I would think someone using the 
>>same ISP is having fun !
>>    
>>
>
>Common mis-conception. The source IP has nothing to do with how packets
>get routed on the Internet. The only thing that gets evaluated is the
>destination IP address. This did not have to come from your ISP, but
>could have come from anywhere on the Internet. Checking the TTL would
>give you an idea of how far away the source IP really was.
>
>Its not uncommon to see a source IP which is private, loopback, your
>legal address space, or even a legal but unallocated address. This is
>why many people filter these sources at their perimeter.
>
>HTH,
>Chris
>
>
>
>-------------- Sponsor Message ------------------------------------
>Join us at SANSFIRE 2005 in Atlanta!
>The Internet Storm Center Conference.
>Details: http://www.sans.org/sansfire2005
>
>_______________________________________________
>send all posts to list at lists.dshield.org
>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>
>
>
>  
>



-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.11.0 - Release Date: 4/29/2005




More information about the list mailing list