RE: 192.168.x.x oddities

["Shawn Jackson" <sjackson () horizonusa com>]

> My understanding is that the entire 192.168.x.x range is for 
> internal networks only (RFC 1918)

Private networks really, internal is such a limited word. Case in point,
some cableco's and telco's setup their public routing network as private
(10.) addresses but with public IP's on the edge routers. This allows 

Someone who uses a providers with this setup till traceroute like this:

[shawn@apollo shawn]$ traceroute 4.2.2.2
traceroute to 4.2.2.2 (4.2.2.2), 30 hops max, 38 byte packets
 1  my-nat-router (192.168.1.1)  2.809 ms  1.429 ms  1.384 ms
 2  cust-edge-rtr (180.65.198.52)  3.097 ms  1.709 ms  1.530 ms
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  so-1-1-0.edge1.sanjose1.level3.net (209.0.227.29)  10.955 ms  10.781
ms  10.
963 ms
 8  so-1-2-0.bbr1.sanjose1.level3.net (209.244.3.137)  11.110 ms  11.202
ms  11.
087 ms
 9  ge-5-2.core1.sanjose1.level3.net (64.159.2.165)  11.382 ms
ge-4-2.core1.sanj
ose1.level3.net (64.159.2.133)  11.231 ms  11.066 ms
10  vnsc-bak.sys.gtei.net (4.2.2.2)  11.359 ms  11.343 ms  11.316 ms

I believe there was a NANOG discussion about this and this practice
violates a RFC or two, but I can't be too sure.

> I get what looks like four computers (in addition to mine), 
> plus some x.0 and x.255 addresses responding to the pings.

If you are using a class C network, i.e. 192.168.1.0-255 .0 is your
network address and .255 is your broadcast address. Whichever system can
respond the quickest will respond to a broadcast echo request. Depending
on your network setup and systems you sometimes cannot ping your network
address. But I have seen in some networks that the default router will
respond to network address echo requests.

> Am I therefore correct in my assumption that the ISP is 
> routing my pings onto their internal network?  

Possibly. It could also be other users in your area connected via the
same edge router.

> Is this a normal response?  It seems like there ought to be security 
> concerns here, but I can't nail them down, except the 
> assumption that traffic destined for 192.168.x.x addresses 
> may not be filtered as well (or at all), since it may be 
> assumed it originated from within the internal network.

If they are your ISP's systems, then there are some larger security
concerns. If they are local users in your area, then there are
/personal/ security issues.

It all depends on how the provider setups their network and the ACL's to
the edge/cust routers. Some providers have private/public pool that they
throw users into, while others use a completely public IP/Routing
scheme. Everyone should ACL private IP address ranges at their edge
routers and loopback IP's, in addition to private protocols, there is no
reason that stuff should be flying around the network.

Also your NAT box shouldn't have even showed those to you, usually they
are very good about blocking private IP address schemes especially if
they fall within the range you are using against the LAN interface for
NAT translation. Hope you can find any of the above useful.

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521

www.horizonusa.com
Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338
 

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------