Security Basics mailing list archives
Re: Weird IP
From: Gary Douglas <dougary () gmail com>
Date: Mon, 2 Feb 2009 05:21:13 -0600
You might want to look into putting in a egress filter. On the network edge device set up a ACL to drop all private IP's from entering your network. You should also set up a filter to only allow your IP address range out. Both of these are common practice.
Thank you Gary Douglas On Jan 30, 2009, at Jan 30, 20099:45 AM, Ansgar Wiechers wrote:
On 2009-01-30 Joseph Hanna wrote:I am working on a case of fraud in my little organisation where we aredealing with fraudulent credit cards. The only thing I can see is the IP address has been logged as 172.16.x.x but isn't that Class Binternal? How are they doing this? I mean how are packets being routedbetween our web-server and that IP? Any recommendations other than my blanked block all Class A and Class B IPs?Yes, 172.16.0.0/12 is a private IP address range, as specified by RFC 1918. However, there's no such thing as class A or class B networks in this day and age anymore. Look up "Classless Inter-Domain Routing" to understand why that is. Anyway, usually it's no problem to send packets with private source IP addresses, because few routers on the Internet bother to check thesource address field of a packet. It's pretty simple to do this kind ofspoofing for UDP connections. For TCP it's a lot harder, because theprotocol isn't stateless, but AFAIK it's doable if the attacker is ableto guess the sequence numbers of response packets. Also AFAIK, it'slegitimate (though not really a good idea) for a provider to use privateIP addresses inside his own network, as long as packets traversing hisnetwork boundary are properly NATed. If the attacker and your server areon the same ISP's network, the use of private addresses may be valid. If the system was compromised, an attacker could also have altered the logs to clear his trails. For further help/analysis you need to give more information. You may also want to contact the authorities (in case you haven't already). Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- Re: Weird IP anastasiosm (Feb 02)
- <Possible follow-ups>
- Re: Re: Weird IP si-n-ka-o-res-t (Feb 02)
- RE: Re: Weird IP Murda Mcloud (Feb 03)
- Re: Weird IP Andre Pawlowski (Feb 02)
- Re: Weird IP Gary Douglas (Feb 02)
- Re: Weird IP batman (Feb 02)
- Re: Weird IP Ricardo Carrillo (Feb 02)
- Re: Weird IP Debarko De (Feb 03)
- RE: Weird IP Prodigi Child (Feb 04)
- Re: Weird IP Myles (Feb 03)
- Re: Weird IP Debarko De (Feb 03)
- Re: Re: Weird IP tim (Feb 04)
- Re: Weird IP Venky Shankar (Feb 04)