[Dshield] ping-scanned by unregistered address: am I getting this right ?

Witt, Allen DAVID.A.WITT at saic.com
Tue Oct 4 17:28:58 GMT 2005


Stephane,

If you use ARIN (or anything except RIPE to get the IP registration), the
results will generally be something the refers you to where the address is
actually registered. I ran the address through RIPE and got the following:



% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Note: the default output of the RIPE Whois server
% is changed. Your tools may need to be adjusted. See
% http://www.ripe.net/db/news/abuse-proposal-20050331.html
% for more details.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag
% Information related to '85.74.128.0 - 85.74.191.255'
inetnum:         85.74.128.0 - 85.74.191.255
netname:         FREENET-POOL-NET
descr:           freenet Cityline GmbH
              Willstaetterstrasse 13
              40549 Duesseldorf
              Germany
country:         DE
admin-c:         FCL-RIPE
tech-c:          NMC-RIPE
status:          ASSIGNED PA 
remarks:         ****************************************************
remarks:         * please report spam/abuse mailto:abuse at pppool.de  *
remarks:         * reports to other addresses will not be processed *
remarks:         ****************************************************
mnt-by:          ROKA-MNT
source:          RIPE # Filtered
role:            freenet Cityline Network Management
address:         freenet Cityline GmbH
address:         Hamburger Chaussee 2-4
address:         24114 Kiel
address:         Germany
e-mail:          tech-c at mcbone.net
admin-c:         FCL-RIPE
tech-c:          JR1741-RIPE
tech-c:          KRD2
tech-c:          SH-RIPE
tech-c:          SW817-RIPE
nic-hdl:         FCL-RIPE
remarks:         ****************************************************
remarks:         * please report spam/abuse mailto:abuse at pppool.de  *
remarks:         * reports to other addresses will not be processed *
remarks:         ****************************************************
mnt-by:          ROKA-MNT
source:          RIPE # Filtered
role:            Network Management
address:         freenet Cityline GmbH
address:         Network Managment Center
address:         Juri Gagarin Ring 88
address:         99084 Erfurt
address:         Germany
phone:           +49 361 594 2961
fax-no:          +49 361 594 2266
e-mail:          nmc at freenet-ag.de
admin-c:         NMC-RIPE
tech-c:          FN507-RIPE
tech-c:          RH6905-RIPE
tech-c:          SR902-RIPE
tech-c:          JP1259-RIPE
nic-hdl:         NMC-RIPE
remarks:         ****************************************************
remarks:         * please report spam/abuse mailto:abuse at pppool.de  *
remarks:         * reports to other addresses will not be processed *
remarks:         ****************************************************
mnt-by:          ROKA-MNT
source:          RIPE # Filtered
% Information related to '85.72.0.0/14AS5430'
route:           85.72.0.0/14
descr:           freenet Cityline GmbH
              Willstaetterstrasse 13
              40549 Duesseldorf
              Germany
origin:          AS5430
remarks:         ****************************************************
remarks:         * please report spam/abuse mailto:abuse at pppool.de  *
remarks:         * reports to other addresses will not be processed *
remarks:         ****************************************************
mnt-by:          ROKA-MNT
source:          RIPE # Filtered
Bold: Object type. 
Underlined: Primary key(s). 
Hyperlinks: Searchable Attributes 


So, the address is registered. It also resolves through DNS as
Jbf46.j.pppool.de. 

Allen Witt - MCSE, CISSP
Network Security Administrator


-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Stephane Grobety
Sent: Tuesday, October 04, 2005 11:16 AM
To: 'General DShield Discussion List'
Subject: [Dshield] ping-scanned by unregistered address: am I getting this
right ?


Hello everyone,

One of my network just got ping-scanned by a machine sitting on IP
85.74.191.70. Now, when I do a whois lookup on this IP, I get back the RIPE
Amsterdam center network.

Am I right in guessing that this IP is actually unregistered to anyone and
therefore shouldn't be used ? If so, why is it routed ? It seems to end up
in Dusseldorf (guessing by the route, although there seem to be a spelling
mistake).

Thanks,
Stephane

_________________________________________
Using .Net? Need to know more about .Net Security?
http://isc.sans.org/banner_count.php?dest=dotnet

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


More information about the list mailing list