Private addressing/non routing of the netblock is only of limited use. I assume here the block is in the IGP.. the more customers/networks you serve the more chance of an attack coming from within. Steve On Thu, 10 Jun 2004, Alexei Roudnev wrote:
Do you have any (even minimal) need to allocate globally routable IP to the VLAN1 interface?
Other thing is that, even if I can find your switch, I will not have any minimal idea, that it is _your_ switch and any minimal need to break it. You can (easily) allocated all switch and router loopback IP in private network many years ago, and filtered out this network on all inbound interfaces.
Even if I (if been a hacker) scan your networks and find this switch (and you did not moved it out of routable P), I will have not any idea, what is it about, where this switch is, and have not any reason to break it...
----- Original Message ----- From: "Sean Donelan" <sean@donelan.com> To: <nanog@merit.edu> Sent: Thursday, June 10, 2004 4:19 AM Subject: Re: TCP-ACK vulnerability (was RE: SSH on the router)
On Wed, 9 Jun 2004, Alexei Roudnev wrote:
This is minor exploit - usually you set up VLAN1 interface with IP
addres,
which is filterd out from outside. Moreover, there is not any good way to find switch IP - it is transparent for user's devices.
Yeah, port scanners are so rare on the Internet they'll never find your IP address. Its not as if the switches have an easy to detect banner signature, and everyone uses out-of-band management for all their network equipment.