CYMRU has 7/8 listed as a bogon: http://www.cymru.com/Documents/bogon-dd.html Their list is more or less authoritative, so I would believe that you should never see traffic from that netblock. This is also consistent with Sprint blackholeing it as a bogon in your original post. That said, it doesn't mean that the netblock is unused. Most likely it is a netblock that DoD actually uses, but it is only routed on DoD's private backbone and never on the Internet. If you are seeing traffic to/from that netblock, there are two possibilities that come to mind: 1) Spoofed source IPs on UDP and ICMP traffic. 2) If it is TCP traffic, then probably someone has hijacked the netblock and is publishing BGP routes to it. Hijacking unallocated netblocks has been a common spamming technique for at least 10 years -- although with today's botnets it does not appear to be as commonly used (IMHO). Also, the spammers usually try to hide within smaller unallocated netblocks (< /16) of allocated netblocks (a little less obvious and less likely to be blackholed). If you are seeing traffic to/from this netblock, PLEASE do a traceroute back to that IP -- in fact do several from different networks -- to make it easier for law enforcement to trace back to the hijacker. Also, try using something more smarter than standard traceoute, such as: http://www.paris-traceroute.net/ If you are seeing traffic from hijacked netblocks, contact your local InfraGuard group -- I know the FBI will be VERY interested in that information. Jon Kibler william(at)elan.net wrote:
Anybody know if 7.0.0.0/8 is or is not allocated to DoD? The data at IANA and ARIN is kind-of confusing...
--------------------------------------------------------------- 7.1.1.0/24 ## AS1239 : SPRINTLINK : Sprint 7.0.0.0 - 7.255.255.255 ## Bogon (unallocated) ip range --------------------------------------------------------------- http://www.iana.org/assignments/ipv4-address-space 007/8 Apr 95 IANA - Reserved --------------------------------------------------------------- [IPv4 whois information for 7.0.0.1 ] [whois.arin.net]
OrgName: DoD Network Information Center OrgID: DNIC Address: 3990 E. Broad Street City: Columbus StateProv: OH PostalCode: 43218 Country: US
NetRange: 7.0.0.0 - 7.255.255.255 CIDR: 7.0.0.0/8 NetName: DISANET7 NetHandle: NET-7-0-0-0-1 Parent: NetType: Direct Allocation Comment: RegDate: 1997-11-24 Updated: 2006-04-28
OrgTechHandle: MIL-HSTMST-ARIN OrgTechName: Network DoD OrgTechPhone: +1-800-365-3642 OrgTechEmail: HOSTMASTER@nic.mil
-- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA (843) 849-8214