RE: help - can someone explain this to me?

From: Robert Clark (rclark@texascellular.com)
Date: 10/29/01 

From: "Robert Clark" <rclark@texascellular.com>
To: "'Andrew Blevins'" <ABlevins@arrowheadgrp.com>, "'scott [gts]'" <scott@graphictype.com>, "'security-basics'" <security-basics@security-focus.com>
Subject: RE: help - can someone explain this to me?
Date: Mon, 29 Oct 2001 12:36:43 -0600
Message-ID: <000501c160a8$aa5676d0$fdfea8c0@ISDesktop>

The 10.0.*, 127.*, and 192.* are not routable addresses, they are
'reserved'. I don't recall ever seeing ISP's using a 10. address as a
public ip. I would wonder if I did.

Robert Clark
MCSE, MCP+I, MCP, A+
MIS - Texas Cellular

> -----Original Message-----
> From: Andrew Blevins [mailto:ABlevins@arrowheadgrp.com]
> Sent: Friday, October 26, 2001 5:02 PM
> To: 'scott [gts]'; security-basics
> Subject: RE: help - can someone explain this to me?
>
>
> That these reserved addresses can't be routed I don't think
> is entirely true (but I'm not a network spec. either! :-) . I
> have seen many ISP's use 10. addresses for their own routers,
> and for all intent's and purposes "The Internet" includes
> some ISP networks (cable, DSL). It is very possible that
> someone is spoofing those 10. addresses, and they are still
> being routed through to your box. many times a DoS contains
> many spoofed source addresses.
>
> Andrew Blevins
> Arrowhead Help Desk
> 1-800-669-1889
> x. 8569
>
>
> -----Original Message-----
> From: scott [gts] [mailto:scott@graphictype.com]
> Sent: Friday, October 26, 2001 12:26 PM
> To: security-basics
> Subject: RE: help - can someone explain this to me?
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> im pretty sure that 10.*, 127.* and 198.* are not routable
> on the internet (which is why so many LANs use them), so it
> looks like whatever happened to your machine is coming from
> inside the LAN where your machine is hosted.
>
> perhaps a machine that the ISP hosts is infected with
> something and throwing out packets to everything on the
> LAN...? (maybe it's another damn IIS worm, since it appears
> that your ISP hosts mostly NT/IIS machines)
>
> but dont take my word, that's just a speculation, i'm
> not a networking specialist or anything.
>
> > -----Original Message-----
> > From: Steven M Bloomfield [mailto:steven@root101.com]
> > Subject: help - can someone explain this to me?
> >
> > Hi,
> > I'm webmaster of a large-ish website and yesterday the
> server went
> down.
> > It is a Redhat 6.1 Linux server. All my ISP would do was press the
> 'reset'
> > button - very kind of them (they are NT specialists). Inspecting my
> > log files I found thousands of denied packets, all seem to
> be
> > within a period of 6 hours.
> > My question is, could such an attack disable my machine and
> crash it?
> > Can anyone identify what sort of attack it was?
> >
> > Here's a summary below:
> >
> > Denied packets from modem-392.awesome.dialup.pol.co.uk
> (62.25.129.136).
> > Port https (tcp,eth0,input): 5 packet(s).
> > Total of 5 packet(s).
> >
> > Denied packets from 10.10.71.237.
> > Port netbios-dgm (udp,eth1,input): 69 packet(s).
> > Port netbios-ns (udp,eth1,input): 333 packet(s).
> > Total of 402 packet(s).
> >
> > Denied packets from 10.10.0.4.
> > Port netbios-dgm (udp,eth1,input): 496 packet(s).
> > Port netbios-ns (udp,eth1,input): 2925 packet(s).
> > Total of 3421 packet(s).
> >
> > Denied packets from userSg017.videon.wave.ca (204.112.48.37).
> > Port 500 (udp,eth0,input): 6 packet(s).
> > Total of 6 packet(s).
> >
> > Denied packets from 207.190.199.102.
> > Port https (tcp,eth0,input): 11 packet(s).
> > Total of 11 packet(s).
> >
> > Denied packets from 10.10.32.21.
> > Port netbios-dgm (udp,eth1,input): 338 packet(s).
> > Port netbios-ns (udp,eth1,input): 1742 packet(s).
> > Total of 2080 packet(s).
> >
> > Denied packets from 172.17.0.18.
> > Port 1434 (udp,eth1,input): 2 packet(s).
> > Total of 2 packet(s).
> >
> > Denied packets from 10.10.1.37.
> > Port netbios-dgm (udp,eth1,input): 496 packet(s).
> > Port netbios-ns (udp,eth1,input): 2925 packet(s).
> > Total of 3421 packet(s).
> >
> > Denied packets from 10.10.32.27.
> > Port netbios-dgm (udp,eth1,input): 59 packet(s).
> > Port netbios-ns (udp,eth1,input): 324 packet(s).
> > Total of 383 packet(s).
> >
> > Denied packets from 10.10.32.28.
> > Port netbios-dgm (udp,eth1,input): 107 packet(s).
> > Port netbios-ns (udp,eth1,input): 513 packet(s).
> > Total of 620 packet(s).
> >
> > Denied packets from 10.10.0.1.
> > Port 0 (tcp,eth1,input): 3 packet(s).
> > Total of 3 packet(s).
> >
> > Denied packets from 10.10.0.3.
> > Port bootpc (udp,eth1,input): 19 packet(s).
> > Port netbios-dgm (udp,eth1,input): 475 packet(s).
> > Port netbios-ns (udp,eth1,input): 2259 packet(s).
> > Total of 2753 packet(s).
> >
> > Thanks,
> Steve
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBO9m43caXTGgZdrSUEQIcvgCfZ+8J4IIJNGsEITW9jBHaEhU0bFUAoME/
> jsdkTYNv3uylkRyyhvvyuQzi
> =mXgL
> -----END PGP SIGNATURE-----
>

Quantcast