Penetration Testing mailing list archives

RE: Traceroute Question


From: "Weaver, Woody" <woody.weaver () callisma com>
Date: Mon, 7 Apr 2003 08:25:14 -0700

My Question is why I am getting 192.168.226.38 non-route able address
output in traceroute reply? As far as i think these private address
space is not route able on the internet.

You are right, it is not routable.

However, that does not prevent an ISP from using it for transit addresses on router interfaces.  Remember, your (ICMP 
or UDP) packet is addressed to a.b.c.d, not to 192.168.226.38.  However, the TTL happens to hit zero on that interface, 
so it generates the return ICMP sourced from that address.

If the ISP is fully following RFC1918, this wouldn't happen -- you wouldn't see the return packet.  The RFC notes:

   It is strongly recommended that routers which connect enterprises to
   external networks are set up with appropriate packet and routing
   filters at both ends of the link in order to prevent packet and
   routing information leakage. An enterprise should also filter any
   private networks from inbound routing information in order to protect
   itself from ambiguous routing situations which can occur if routes to
   the private address space point outside the enterprise.

In practice, many ISPs only filter destination addresses of RFC1918 and not source, so that explains what you are 
seeing.

--woody

--------------------------------------------------------------
<b>Costs are climbing and complaints are rising
as SPAM overloads your e-mail servers and Inboxes
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it.
http://www.securityfocus.com/SurfControl-pen-test2
Download a free trial and see just
what's going in and out of your organization. </b>


Current thread: