[Dshield] routing 192.168...?

Daniel Cherton dcherton at aei.ca
Mon May 2 14:52:25 GMT 2005


Thanks Stephane.

I will look into those packets once I am finish with the setup.
All the packets are drop at the first point of entry so, I think I am 
not too worried.
I received quite a few with a "valid" IP. Do you think comparing the 
header could yield some more info
if they have the same origin ?

Stephane Grobety wrote:

>Hello Daniel,
>
>IPs with private source addresses are only blocked by ISP's that do
>some form of egress filtering and even then, it's not always the case
>and most often only at the periphery.
>
>It's a shame really: that kind of filtering would really cut down the
>nuisance capacity of machines inside the ISP's own network but, on the
>other hand, it's not really a sales argument, it costs money. So few
>are doing it and far from enough for filtering to be really effective.
>
>You can check the TTL by looking at the raw IP headers (for instance,
>with etehreal). But it won't tell you much as you'll only have the
>final value, not the initial one, and therefore cannot know the exact
>number of hops.
>
>The best would be to setup your router to drop all packets with a
>private IP in the source field that hits the external interface. if
>that's not possible, then I'm afraid you'll have to live with it:
>tracing spoofed traffic is next to impossible. Trust me, I know: for 8
>month, some Dutch idiot tried to use my DNS server as a traffic
>amplifier by sending it requests for the root with a spoofed IP
>address (the actual victim). I was unable to trace the traffic and my
>ISP refused to even persue it (I can't blame them, really: in order to
>do that, you have to follow the phisical path of the packets to know
>what gateway they come from and then ask the next party to do the same
>until you reach the source).
>
>Good luck,
>Stephane
>
>Monday, May 2, 2005, 6:09:56 AM, you wrote:
>
>DC> Hi Chris,
>
>DC> I know that the source is not use for routing but I thought that private 
>DC> addresses are suppose to be block by ISPs.
>DC> Not mandatory but, they should. After all an ISP could use that address 
>DC> on their own private network ?
>DC> How can I check the TTL ?  It append 28 times today. For me the source 
>DC> become that private address, no routing possible.
>DC> My fisrt line is a router/firewall, everything is block, I then have 
>DC> ZoneAlarm  in every machine.
>
>
>
>  
>



-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.11.1 - Release Date: 5/2/2005




More information about the list mailing list