Off-list: Does this mean that any IP source spoof prevention mechanism needs an exception for ICMP error packets sourced from 192.0.0.8? Yours, Joel On 8/19/2025 6:07 PM, Warren Kumari via NANOG wrote:
On Tue, Aug 19, 2025 at 3:56 PM, Jonathan Kalbfeld <nanog@lists.nanog.org> wrote:
There are other reasons to do it intentionally.
Yup, there are other intentional places where you can emit packets which are not announced.
For example, the Reserved IPv4 Dummy Address (192.0.0.8): RFC7600 - "IPv4 Residual Deployment via IPv6 - A Stateless Solution (4rd)" <https://datatracker.ietf.org/doc/rfc7600/> Sec 4.6: "R-22: If a CE or BR receives an ICMPv6 error message [RFC4443], it MUST synthesize an ICMPv4 error packet [RFC792]. This packet MUST contain the first 8 octets of the discarded packet's IP payload. The reserved IPv4 dummy address (192.0.0.8/32; see Section 6) MUST be used as its source address."
W
You can use 10/8 to exfiltrate data. So you could have a receiving system
that catalogs every 10.x IP address and then assembles them in order for a bit stream. You can exfiltrate data pretty quickly. Think of it like a number station.
Jonathan Kalbfeld
office: +1 310 317 7933 fax: +1 310 317 7901 home: +1 310 317 7909 mobile: +1 310 227 1662
ThoughtWave Technologies, Inc. Studio City, CA 91604
View our network at
+1 844 42-LINUX
On Aug 19, 2025 at 12:13 PM, Joe Greco via NANOG <nanog@lists.nanog.org> wrote:
On Tue, Aug 19, 2025 at 07:10:54PM +0200, Bill Woodcock via NANOG wrote:
Sure. A large American mobile operator did that with a lot of their DNS traffic for a couple of months. :-)
Of course you may be talking about doing it _intentionally_. I don???t know of a reason to do it, but sure, it can be done. It???ll get dropped by anybody running uRPF.
I don't remember if it was at SANE 2000 or 2002, but I was talking with a gentleman who was discussing network security with me and he described that his employer had just patented his technique for discovering "leaks", rogue connections, etc., in a secured network. He was being very mysterious so I asked him how his technique was different than the classic trawling around shooting packets with various source addresses at various targets within a network. Which is what they thought was unique and patentable.
So the point is that if you have an unrouted prefix, you can monitor the authorized uplink from a network to see if traffic sprayed within the network is seeing plausible response traffic addressed to that unrouted prefix, but also if you happen to have a ROUTABLE prefix, you can also detect rogue uplinks and stuff like that by seeing what does actually arrive at the routed network.
This is not exactly what the OP asked about, but it is in the same ballpark and may be interesting to someone. The ICMP response answer posted by Mr. Heitz is obviously more common as are the accidental misconfiguration class of answers.
... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "The strain of anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'"-Asimov _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/ HEOW6YA7H7FS5IRR4LIPXNV4Q7FESVK6/
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/ PLFI75KYZXX7AZW7JLM2YL6MYW56CSGZ/
_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/MHFSGEQU...