why hp bladeserver chassis have a sudden interest in thailand.
http://forums11.itrc.hp.com/service/forums/questionanswer.do?admit=109447626+1299558177753+28353475&threadId=1471451 As a potentially cautionary tale for the squatting on unused pieces of address space either in your network or applications. drive slow (and filter 22 outgoing to 49.48.46.49 until you get new firmware) joel
----- Original Message -----
From: "Joel Jaeggli" <joelja@bogus.com>
As a potentially cautionary tale for the squatting on unused pieces of address space either in your network or applications.
drive slow (and filter 22 outgoing to 49.48.46.49 until you get new firmware)
(HP Blades apparently depended on rDNS for 49.48/16 failing hard, which stopped happening when the block was allocated) Hey, isn't this what I was talking about a week or two ago: applications depending on DNS not lying to them about whether things actually exist or not? (Ok, it's a *bit* sideways, but not much...) Cheers, -- jra
On Mar 7, 2011, at 10:47 PM, Jay Ashworth wrote:
----- Original Message -----
From: "Joel Jaeggli" <joelja@bogus.com>
As a potentially cautionary tale for the squatting on unused pieces of address space either in your network or applications.
drive slow (and filter 22 outgoing to 49.48.46.49 until you get new firmware)
(HP Blades apparently depended on rDNS for 49.48/16 failing hard, which stopped happening when the block was allocated)
For those at home scratching their heads, I ran into this before too when trying to figure out why they were making in-addr.arpa requests over and over again... 49 decimal in ASCII = "1" 48 decimal in ASCII = "0" 46 decimal in ASCII = "." 49 decimal in ASCII = "1" or "10.1" If you had a hard-coded IP address instead of a hostname for its management host, the logic to resolve the hostname would get confused and attempt to do a reverse-dns lookup of the first 4 characters of the ASCII representation of the hostname, and connect to that instead. So, if your management host was "10.1.1.1" the first 4 characters were "10.1" which is 49.48.46.49 if you smash the values of each character into a v4 address and try to grab a PTR record for it. If that lookup failed, it'd fall back to connecting to the IP correctly. Only after 49.48/16 was assigned and started giving out PTR records did this bug actually do anything. It is attempting to SSH to the host at 49.48.46.49 though, which is probably bad. (the above is my own attempt at figuring out what was happening, but might not be 100% accurate)
rofl. the goddesses are indeed just. randy
http://isc.sans.edu/diary/Outbound+SSH+Traffic+from+HP+Virtual+Connect+Blade... It is going for a range of ips. We only see syn's never a response from the ips. Netflow sampling at 1/1k results from yesterday's SSH fun:) Countx1k ip 244 49.48.46.49 125 49.48.46.51 74 49.48.46.50 69 49.48.46.54 25 49.48.46.55 18 49.48.46.53 11 49.48.46.48 2 49.48.46.57 (coffee != sleep) & (!coffee == sleep) Donald.Smith@qwest.com ________________________________________ From: arin-ppml-bounces@arin.net [arin-ppml-bounces@arin.net] On Behalf Of Joel Jaeggli [joelja@bogus.com] Sent: Monday, March 07, 2011 9:41 PM To: NANOG; arin-ppml@arin.net Subject: [arin-ppml] why hp bladeserver chassis have a sudden interest in thailand. http://forums11.itrc.hp.com/service/forums/questionanswer.do?admit=109447626+1299558177753+28353475&threadId=1471451 As a potentially cautionary tale for the squatting on unused pieces of address space either in your network or applications. drive slow (and filter 22 outgoing to 49.48.46.49 until you get new firmware) joel _______________________________________________ PPML You are receiving this message because you are subscribed to the ARIN Public Policy Mailing List (ARIN-PPML@arin.net). Unsubscribe or manage your mailing list subscription at: http://lists.arin.net/mailman/listinfo/arin-ppml Please contact info@arin.net if you experience any issues. This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
participants (5)
-
Jay Ashworth -
Joel Jaeggli -
Kevin Day -
Randy Bush -
Smith, Donald