Re: Whois 172/12

["Patrick W. Gilmore" <patrick () ianai net>]

Read RFC1918.

Likely a machine on his local network (i.e. behind the same NAT box) is hitting him.

But that is not guaranteed.  A packet with a source address of 172.0.x.x could be hitting his machine.  Depends on how 
well you filter.  Many networks only look at destination IP address, source can be anything - spoofed, un-NAT'ed, etc.  
He just wouldn't be able to send anything back to it (unless it was on the local LAN, as I mention above).

-- 
TTFN,
patrick


On Jan 15, 2012, at 2:53 AM, Alex Ryu wrote:

> As far as I know, 172.0.1.216 is not assigned, yet.
>
> whois -h whois.arin.net 172.0.1.216
> [whois.arin.net]
> #
> # Query terms are ambiguous.  The query is assumed to be:
> #     "n 172.0.1.216"
> #
> # Use "?" to get help.
> #
>
> No match found for 172.0.1.216.
>
>
>
> #
> # ARIN WHOIS data and services are subject to the Terms of Use
> # available at: https://www.arin.net/whois_tou.html
> #
>
> Also, when you check BGP routing table, it is not routed at all.
>
> route-server.as3257.net>sh ip bgp 172.0.1.216
> % Network not in table
> route-server.as3257.net>
>
> So it seems like forged IP address.
>
> Alex
>
>
> On Sun, Jan 15, 2012 at 1:37 AM, Ted Fischer <ted () fred net> wrote:
> > Hi all,
> >
> >   Tearing what's left of my hair out.
> >
> >   A customer is getting scanned by a host claiming to be "172.0.1.216".
> >
> >   I know this is bogus, but I want to go back to the customer with as
> > much authoritative umph as I can (heaven forbid they just take my
> > word).
> >
> >   I'm pretty sure I read somewhere once that 172/12 was "reserved" or
> > something like that.  All I can find now is that 172/8 is "administered by
> > ARIN".  Lots of information on 172.16/12, but not a peep about
> > 172/12.
> >
> >   If anybody could provide some insight as to the
> > allocation/non-allocation of this block, it would be much appreciated.
> >
> >   Thanks.
> >
> > Ted Fischer