Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: Scans From 192.168.0.134

Re: Scans From 192.168.0.134

From: Jon O. <jono_at_MICROSHAFT.ORG>
Date: Thu, 1 Feb 2001 09:51:27 -0800

Doug seems to have sent this message because he didn't understand how
these 'non-routable' addresses are getting picked up by his IDS that
traverses his 'main' router. I assume main router means border router, or
the router that carries his internet traffic. Also, the term
'non-routable' is really causing some problems for many people so I hope
this can help stop the confusion. They are called non-routable because
*you* are NOT SUPPOSED to route them. If you use these addresses in your
LAN, block them from leaving your border with ACLs because they should be
translated (to a routable, valid address) before they leave your network.
Many ISPs block these addresses at the edges and core parts of their
networks. I figure Doug's ISP might not block these addresses so a network
close to his is sending these packets. I say close because they should
have gotten picked off by some anti-spoofing, anti-RFC1918 ACLs if they
hit an ISP with even a little clue.

NMAP scans can send a bogus source, but you shouldn't be allowing RFC1918
addresses into or out of your network in the first place. If you see them,
tell your ISP that you want them to block these addresses also. If you're
not part of the solution...

Thanks,
Jon

Chief Network Henchman
http://www.securityreports.com

 On Thu, 1 Feb 2001, Alan Hannan
wrote:

> NMAP allows one to send bogus source IP addresses along w/
> real prbes to obfuscate the source. Could it be that these
> scans are mated with other IP addresses?
>
> -alan
>
> Thus spake Douglas P. Brown (Doug_at_UNC.EDU)
> on or about Thu, Feb 01, 2001 at 10:29:57AM -0500:
> > We are somewhat preplexed - Our IDS reported 8000+ SYN FIN scans from a
> > non-routable address (192.168.0.134) to thousands of ours hosts
> > yesterday. Our IDS setup is only seeing traffic that traverses our main
> > router. Has anyone seen this before? Am I missing something? Any
> > advice or direction you can offer would be greatly appreciated.
> >
> > Cheers,
> > -DpB
> > --
> >
> > Douglas P. Brown
> > University of North Carolina
> > I.T. Security Consultant
> > 105 Abernethy Hall
>
Received on Feb 01 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos