nanog mailing list archives

Previous By Date Next
Previous By Thread Next

RE: General question on rfc1918

From: "Darden, Patrick S." <darden () armc org>
Date: Tue, 13 Nov 2007 10:14:28 -0500


They do.  What you are seeing are probably forged packets.  Nmap etc. all let you forge SIP, in fact they automate it.  
One Nmap mode actually actively obfuscates network scans by doing random SIPs--e.g. 10,000 random SIPs and one real 
one--this makes it hard to figure out who is actually scanning your networks.

Of course, if you don't filter incoming traffic on your inner interfaces, then the traffic could be from your own 
network.  A lot of people filter  only on their external ints:

        outgoing traffic limited to [mynetwork1, mynetwork2, mynetwork3]
        incoming traffic limited to [public IP addresses]

Make sense?

--Patrick Darden
--Internetworking Manager
--ARMC


-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu]On Behalf Of
Drew Weaver
Sent: Tuesday, November 13, 2007 10:09 AM
To: nanog () merit edu
Subject: General question on rfc1918



        Hi there, I just had a real quick question. I hope this is found to be on topic.

Is it to be expected to see rfc1918 src'd packets coming from transit carriers?

We have filters in place on our edge (obviously) but should we be seeing traffic from 192.168.0.0 and 10.0.0.0 et 
cetera hitting our transit interfaces?

I guess I'm not sure why large carrier networks wouldn't simply filter this in their core?

Thanks,
-Drew
Previous By Date Next
Previous By Thread Next

Current thread: