[Dshield] routing 192.168...?

Stephane Grobety security at admin.fulgan.com
Mon May 2 14:01:50 GMT 2005


Hello Daniel,

IPs with private source addresses are only blocked by ISP's that do
some form of egress filtering and even then, it's not always the case
and most often only at the periphery.

It's a shame really: that kind of filtering would really cut down the
nuisance capacity of machines inside the ISP's own network but, on the
other hand, it's not really a sales argument, it costs money. So few
are doing it and far from enough for filtering to be really effective.

You can check the TTL by looking at the raw IP headers (for instance,
with etehreal). But it won't tell you much as you'll only have the
final value, not the initial one, and therefore cannot know the exact
number of hops.

The best would be to setup your router to drop all packets with a
private IP in the source field that hits the external interface. if
that's not possible, then I'm afraid you'll have to live with it:
tracing spoofed traffic is next to impossible. Trust me, I know: for 8
month, some Dutch idiot tried to use my DNS server as a traffic
amplifier by sending it requests for the root with a spoofed IP
address (the actual victim). I was unable to trace the traffic and my
ISP refused to even persue it (I can't blame them, really: in order to
do that, you have to follow the phisical path of the packets to know
what gateway they come from and then ask the next party to do the same
until you reach the source).

Good luck,
Stephane

Monday, May 2, 2005, 6:09:56 AM, you wrote:

DC> Hi Chris,

DC> I know that the source is not use for routing but I thought that private 
DC> addresses are suppose to be block by ISPs.
DC> Not mandatory but, they should. After all an ISP could use that address 
DC> on their own private network ?
DC> How can I check the TTL ?  It append 28 times today. For me the source 
DC> become that private address, no routing possible.
DC> My fisrt line is a router/firewall, everything is block, I then have 
DC> ZoneAlarm  in every machine.



-- 
Best regards,
 Stephane                            mailto:security at admin.fulgan.com




More information about the list mailing list