nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Can a prefix be never routed on Internet but used only for source address in IP packets?

From: Jonathan Kalbfeld via NANOG <nanog () lists nanog org>
Date: Tue, 19 Aug 2025 12:56:21 -0700
 
 
 
There are other reasons to do it intentionally. You can use 10/8 to exfiltrate data. So you could have a receiving 
system that catalogs every 10.x IP address and then assembles them in order for a bit stream. You can exfiltrate data 
pretty quickly. Think of it like a number station.
 

 

 
 
 
 
 
 
 
 
 
Jonathan Kalbfeld

 office:   +1 310 317 7933
 fax:         +1 310 317 7901
 home:       +1 310 317 7909
 mobile:   +1 310 227 1662
 
  ThoughtWave Technologies, Inc.
 Studio City, CA 91604
 
https://thoughtwave.com
 

 
 
View our network at  
 
https://bgp.he.net/AS54380
 

 
+1 844 42-LINUX
 
 
 
 
 
 
 
 
 
 
 
 
 
 

 
On Aug 19, 2025 at 12:13 PM, Joe Greco via NANOG  <nanog () lists nanog org>  wrote:
 
 
 On Tue, Aug 19, 2025 at 07:10:54PM +0200, Bill Woodcock via NANOG wrote:

 Sure. A large American mobile operator did that with a lot of their DNS traffic for a couple of months. :-)
 
 Of course you may be talking about doing it _intentionally_. I don???t know of a reason to do it, but sure, it can 
be done. It???ll get dropped by anybody running uRPF. 


I don't remember if it was at SANE 2000 or 2002, but I was talking
with a gentleman who was discussing network security with me and he
described that his employer had just patented his technique for
discovering "leaks", rogue connections, etc., in a secured network.
He was being very mysterious so I asked him how his technique was
different than the classic trawling around shooting packets with 
various source addresses at various targets within a network. Which
is what they thought was unique and patentable.

So the point is that if you have an unrouted prefix, you can monitor
the authorized uplink from a network to see if traffic sprayed within
the network is seeing plausible response traffic addressed to that
unrouted prefix, but also if you happen to have a ROUTABLE prefix, you
can also detect rogue uplinks and stuff like that by seeing what does
actually arrive at the routed network.

This is not exactly what the OP asked about, but it is in the same
ballpark and may be interesting to someone. The ICMP response answer
posted by Mr. Heitz is obviously more common as are the accidental
misconfiguration class of answers.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI -  http://www.sol.net
"The strain of anti-intellectualism has been a constant thread winding its way
through our political and cultural life, nurtured by the false notion that
democracy means that 'my ignorance is just as good as your knowledge.'"-Asimov
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/HEOW6YA7H7FS5IRR4LIPXNV4Q7FESVK6/
   

     
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/PLFI75KYZXX7AZW7JLM2YL6MYW56CSGZ/
Previous By Date Next
Previous By Thread Next

Current thread: