198.32.64.12 -- Harmless mis-route or potential exploit?
Hello all, While recently trying to debug a CEF issue, I found a good number of packets in my "debug cef drops" output that were all directed at 198.32.64.12 (which I see as being allocated to ep.net but completely unused). Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Now, as nearly as I can tell, this IP address has never been used for anything, but I see occasional references to it, such as here: http://www.honeynet.org/papers/forensics/exploit.html So the question is, should I just ignore this as a properly dropped packet due to "no route" (this provider is running defaultless, so unless such a route exists, it should be okay). On the other hand, one of the other packets I'm seeing specifically refers to a DNS exploit, so should I then dispatch to people to trace down the source origin ? (Suffice it to say the resources are there to find it fairly easily, even if the source address is forged). -Dan -- --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------
My profile and resume: http://www.linkedin.com/in/gadievron On Tue, 2 Sep 2008, Dan Mahoney, System Admin wrote:
Hello all,
While recently trying to debug a CEF issue, I found a good number of packets in my "debug cef drops" output that were all directed at 198.32.64.12 (which I see as being allocated to ep.net but completely unused).
Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
Now, as nearly as I can tell, this IP address has never been used for anything, but I see occasional references to it, such as here:
http://www.honeynet.org/papers/forensics/exploit.html
So the question is, should I just ignore this as a properly dropped packet due to "no route" (this provider is running defaultless, so unless such a route exists, it should be okay).
On the other hand, one of the other packets I'm seeing specifically refers to a DNS exploit, so should I then dispatch to people to trace down the source origin ? (Suffice it to say the resources are there to find it fairly easily, even if the source address is forged).
It should be treated as an intelligence source, sharing that one openly is probably counter-productive. Regardless, very interesting. I think follow-up just for interest's sake may be worth it.
-Dan
--
--------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------
Gadi, Could you please take the self-promotion offline already? Enough is enough! I don't think anybody on this list is interested in hiring you or reviewing your resume! (It could be argued that my post is off-topic as well. I disagree. Furthermore, it had to be done, given the lack of public face or consistent enforcement action of the current MLC.) Drive Slow, Paul Wall http://www.linkedin.com/in/paulwall On Tue, Sep 2, 2008 at 6:28 PM, Gadi Evron <ge@linuxbox.org> wrote:
My profile and resume: http://www.linkedin.com/in/gadievron On Tue, 2 Sep 2008, Dan Mahoney, System Admin wrote:
Hello all,
While recently trying to debug a CEF issue, I found a good number of packets in my "debug cef drops" output that were all directed at 198.32.64.12 (which I see as being allocated to ep.net but completely unused).
Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
Now, as nearly as I can tell, this IP address has never been used for anything, but I see occasional references to it, such as here:
http://www.honeynet.org/papers/forensics/exploit.html
So the question is, should I just ignore this as a properly dropped packet due to "no route" (this provider is running defaultless, so unless such a route exists, it should be okay).
On the other hand, one of the other packets I'm seeing specifically refers to a DNS exploit, so should I then dispatch to people to trace down the source origin ? (Suffice it to say the resources are there to find it fairly easily, even if the source address is forged).
It should be treated as an intelligence source, sharing that one openly is probably counter-productive.
Regardless, very interesting. I think follow-up just for interest's sake may be worth it.
-Dan
--
--------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------
On Sep 2, 2008, at 6:44 PM, Paul Wall wrote:
Could you please take the self-promotion offline already? Enough is enough! I don't think anybody on this list is interested in hiring you or reviewing your resume!
(It could be argued that my post is off-topic as well. I disagree. Furthermore, it had to be done, given the lack of public face or consistent enforcement action of the current MLC.)
[...]
Paul Wall http://www.linkedin.com/in/paulwall
On Tue, Sep 2, 2008 at 6:28 PM, Gadi Evron <ge@linuxbox.org> wrote:
My profile and resume: http://www.linkedin.com/in/gadievron
[SNIP] Just so that I am clear on your issue here: You believe it is "okay" for you to put your linkedin URL in your .sig, but Gadi must not be allowed to put it at the top of a post? I ask because I had to go back and read what you were so upset over since I did not even notice the first line in his post. I bet many others did not as well. Oh, and I think the fact it is L-Root's old IP address probably means no one will hire him to research it anyway. :-) -- TTFN, patrick
On Tue, 2 Sep 2008 21:40:38 -0400 "Patrick W. Gilmore" <patrick@ianai.net> wrote:
[SNIP]
Just so that I am clear on your issue here: You believe it is "okay" for you to put your linkedin URL in your .sig, but Gadi must not be allowed to put it at the top of a post?
Yes, I think that's exactly right. It's a statement of what the sender perceives to be important about the email. I read email for the content; having the URL at the top is an assertion by the poster that he thinks his resume is more important than what he says. (Yes, I know some of you are about to hit reply to say "maybe it is from Gadi". Don't bother -- what he says is often quite valuable.) --Steve Bellovin, http://www.cs.columbia.edu/~smb
On Tue, 2 Sep 2008, Steven M. Bellovin wrote:
On Tue, 2 Sep 2008 21:40:38 -0400 "Patrick W. Gilmore" <patrick@ianai.net> wrote:
[SNIP]
Just so that I am clear on your issue here: You believe it is "okay" for you to put your linkedin URL in your .sig, but Gadi must not be allowed to put it at the top of a post?
Yes, I think that's exactly right. It's a statement of what the sender perceives to be important about the email. I read email for the
I agree, which is why this fluke in not deleting the last line with ctrk+k as PINE appends signature lines at the top of the post by default--was awkward. Good thing I don't much get deterred by awkward. Still, I bet this is going to be a huge thread yet again. No one appends any URL at the footer--not even me! ;) But folks with no content to contribute would naturally jump at it like they would at even just a typo. I suppose it is only natural when you become a celebrity of any sort--you draw all sorts of attention. At first my thick skin helped, nowadays I just find it amusing. Folks flooded mailing lists spoofing my name (creating ASCII art of Beavis or a swastika) using the subject lines. They flooded yet again, with furry porn pictures attached. They launched fan blogs, created an Encyclopedia Dramatica entry... I've had a comic strip made about me, a song written about me, a fake craigslist entry... all of course, serving as a boost to my ego--knowing "now I must have made it!" ;-) There was a blackhat presentation which in part was about how someone faked a social network account being me, and how he almost got an informationweek interview as me out of it--I was on to him. Most recently, someone created a comic-strip in ASCII about me (very funny, but R rated, so don't go if you find that type of thing offensive). It's from the "now I know I've made it!" department: http://fr.pastebin.ca/raw/1094119 To wrap this up, I don't often (at all) use signature lines, but I do have them and out of habit delete them with almost every new posting from the footer. I had two VERY self-depricating (and very funny) quotes, before, which also were not often used, anyone remember? 1. "beepbeep it, i leave work, stop reading sec lists and im still hearing gadi" - HD Moore to Gadi Evron on IM, on Gadi's interview on npr, March 2007. 2. *FART* -- Avi Freedman to Gadi Evron in a Chinese restaurant, Boston 2007. To even things out, my new barely ever used footer signature, is: ----- "You don't need your firewalls! Gadi is Israel's firewall." -- Itzik (Isaac) Cohen, "Computers czar", Senior Deputy to the Accountant General, Israel's Ministry of Finance, at the government's CIO conference, 2005. (after two very funny self-deprication quotes, time to even things up!) My profile and resume: http://www.linkedin.com/in/gadievron ------ So, I missed one line and it stuck at the footer and no one noticed it except the trolls. Now that the awkward moment is over and I made the unnecessary yet required explanation... can we move on? I really should use the man page and see how I move the signature from the footer in PINE. Thanks for the free advertisement of my resume, trolls! Appreciated. Gadi.
content; having the URL at the top is an assertion by the poster that he thinks his resume is more important than what he says. (Yes, I know some of you are about to hit reply to say "maybe it is from Gadi". Don't bother -- what he says is often quite valuable.)
--Steve Bellovin, http://www.cs.columbia.edu/~smb
[SNIP]
Just so that I am clear on your issue here: You believe it is "okay" for you to put your linkedin URL in your .sig, but Gadi must not be allowed to put it at the top of a post?
Yes, I think that's exactly right. It's a statement of what the sender perceives to be important about the email. I read email for the content; having the URL at the top is an assertion by the poster that he thinks his resume is more important than what he says. (Yes, I know some of you are about to hit reply to say "maybe it is from Gadi". Don't bother -- what he says is often quite valuable.)
--Steve Bellovin, http://www.cs.columbia.edu/~smb
Patrick, I would say that "we" have a long history of tolerating certain content within a signature that might not be appropriate within a message itself; my own opinion would be that inclusion of this sort of thing outside of the signature is inappropriate, except perhaps where it would fall within the scope of the purpose of the list. Steve, it is intriguing that you would make such a statement, since you clearly believe that your own signature is sufficiently worthwhile that you do not separate it from the main message with a signature separator, which would cause those of us who have clients configured to grey out or eliminate signatures to ignore "less valuable" signature content. I do appreciate that your signature is refreshingly brief, however. ;-) Paul, who I believe originally complained about this, I would have agreed with your complaint had it clearly been part of a pattern of behaviour on Gadi's part. However, a one-time inclusion of unacceptable text should probably be overlooked. There are very few of us who have /never/ made a cut and paste error, failed to trim content, misattributed a message, failed to attribute a message, or made any of a hundred other minor sins. You wouldn't want a bunch of us to pile on you the next time you make a speeling mysteak. You might also want to make sure you put your LinkedIn URL in your SIGNATURE, after a signature separator, because from where I sit, your message closely resembles Gadi's, because you included a LI URL in the BODY of your message. Gadi, you do have an aura that surrounds you of vague self-promotion, and you seem to rub some people the wrong way. You might want to consider not including an automatic signature if you don't intend to use it on a majority of messages, because clearly there is a chance of operator error when deleting the unintended text. Joe, you obnoxious jerk, you include TWO signatures in your messages, one "initials only" one before the signature separator, and a fully compliant one after. Pick one or the other! ("But it helps clarify attributions, etc!") ;-) There. Now we have a mountain made out of a molehill! Now back to our regularly scheduled programming. (*groan*) ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Wed, 3 Sep 2008 08:02:09 -0500 (CDT) Joe Greco <jgreco@ns.sol.net> wrote:
Steve, it is intriguing that you would make such a statement, since you clearly believe that your own signature is sufficiently worthwhile that you do not separate it from the main message with a signature separator, which would cause those of us who have clients configured to grey out or eliminate signatures to ignore "less valuable" signature content. I do appreciate that your signature is refreshingly brief, however. ;-)
It's in the interest of brevity... --Steve Bellovin, http://www.cs.columbia.edu/~smb
On Wednesday 03 September 2008 09:24:12 Steven M. Bellovin wrote:
It's in the interest of brevity...
--Steve Bellovin, http://www.cs.columbia.edu/~smb
Two tabs and double dashes is shorter than double-dashes and newline?
On Tue, Sep 2, 2008 at 3:28 PM, Gadi Evron <ge@linuxbox.org> wrote:
My profile and resume: http://www.linkedin.com/in/gadievron
are you for real?
On Tue, Sep 2, 2008 at 9:32 PM, Aaron Glenn <aaron.glenn@gmail.com> wrote:
On Tue, Sep 2, 2008 at 3:28 PM, Gadi Evron <ge@linuxbox.org> wrote:
My profile and resume: http://www.linkedin.com/in/gadievron
are you for real?
No, he is not.
On Tue, 2 Sep 2008, Aaron Glenn wrote:
On Tue, Sep 2, 2008 at 3:28 PM, Gadi Evron <ge@linuxbox.org> wrote:
My profile and resume: http://www.linkedin.com/in/gadievron
are you for real?
Yep. Are you a geek? I am that, too. Awkward, but easy to explain. I use PINE and I often have signatures added (which I barely ever actually use). PINE adds them at the footer of the message. Therefore I hit ctrl+K a few times and delete entire lines, then reply at the footer. I missed one line, which is the last of my current .signature file. My usual signature these days, as has been seen before on this list as well, is: ====== -- "You don't need your firewalls! Gadi is Israel's firewall." -- Itzik (Isaac) Cohen, "Computers czar", Senior Deputy to the Accountant General, Israel's Ministry of Finance, at the government's CIO conference, 2005. (after two very funny self-deprication quotes, time to even things up!) My profile and resume: http://www.linkedin.com/in/gadievron ====== So, you saw the last line. Awkward, but silly. You are an idiot just in case you wondered, as you now officially advertised a mistake nearly noi one noticed which is also advertising me. Yes? Back to our scheduled programming. Gadi.
On Sep 2, 2008, at 3:24 PM, Dan Mahoney, System Admin wrote:
Hello all,
While recently trying to debug a CEF issue, I found a good number of packets in my "debug cef drops" output that were all directed at 198.32.64.12 (which I see as being allocated to ep.net but completely unused).
Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
Now, as nearly as I can tell, this IP address has never been used for anything, but I see occasional references to it, such as here:
Once upon a time, that used to be the IP address for the L Root server. Steve
----- Steve Conte conte@isoc.org
On Sep 2, 2008, at 3:24 PM, Dan Mahoney, System Admin wrote:
While recently trying to debug a CEF issue, I found a good number of packets in my "debug cef drops" output that were all directed at 198.32.64.12 (which I see as being allocated to ep.net but completely unused).
As Steve Conte pointed out, that is the address that used to be used for l.root-servers.net. l.root-servers.net was renumbered almost a year ago, with the announcement of the old address turned off about 6 months ago.
So the question is, should I just ignore this as a properly dropped packet due to "no route" (this provider is running defaultless, so unless such a route exists, it should be okay).
Packets being sent to 198.32.64.12 most likely come from DNS caching servers that haven't had their hints updated. In the ideal world, you could hunt down those machines and kick 'em in the head (that is, install a new hints file). That they're unrouted is definitely the way things should be. Regards, -drc
dan, (to follow up on david conrad's response)... On Tue, Sep 02, 2008 at 04:31:40PM -0700, David Conrad wrote:
On Sep 2, 2008, at 3:24 PM, Dan Mahoney, System Admin wrote:
While recently trying to debug a CEF issue, I found a good number of packets in my "debug cef drops" output that were all directed at 198.32.64.12 (which I see as being allocated to ep.net but completely unused).
As Steve Conte pointed out, that is the address that used to be used for l.root-servers.net. l.root-servers.net was renumbered almost a year ago, with the announcement of the old address turned off about 6 months ago.
there's some context on recent routing issues with this network described at the renesys blog here: http://www.renesys.com/blog/2008/06/securing_the_root_1.shtml in short: the prefix containing this network was advertised by people other than iana for a time after iana stopped advertising it. checking our current data, that block is not currently routed by any of our peers over the last month (i would assume ripe ris and routeviews report similar data, but i did not check them. t. -- _____________________________________________________________________ todd underwood +1 603 643 9300 x101 renesys corporation general manager babbledog todd@renesys.com http://www.renesys.com/blog
On 9/2/08, Todd Underwood <todd-nanog@renesys.com> wrote:
checking our current data, that block is not currently routed by any of our peers over the last month (i would assume ripe ris and routeviews report similar data, but i did not check them.
it's also probably worth stating that parts of 198.32/16 are never routed anywhere on the Internet (here comes bill to tell me 'who's Internet?' .....). Some is in use on private networks, some is in use at exchange points and not routed outside the immediate peers. Most times, as I recall, epnet does a decent job of keeping the whois data or rdns data updated though, for things in use. (though possibly not for private uses) -chris
On Tue, Sep 02, 2008 at 10:08:10PM -0400, Christopher Morrow wrote:
On 9/2/08, Todd Underwood <todd-nanog@renesys.com> wrote:
checking our current data, that block is not currently routed by any of our peers over the last month (i would assume ripe ris and routeviews report similar data, but i did not check them.
it's also probably worth stating that parts of 198.32/16 are never routed anywhere on the Internet (here comes bill to tell me 'who's Internet?' .....). Some is in use on private networks, some is in use at exchange points and not routed outside the immediate peers.
grump... ok... "who's internet"?
Most times, as I recall, epnet does a decent job of keeping the whois data or rdns data updated though, for things in use. (though possibly not for private uses)
rdns moreso that whois...
-chris
On Wed, Sep 3, 2008 at 8:48 AM, <bmanning@vacation.karoshi.com> wrote:
On Tue, Sep 02, 2008 at 10:08:10PM -0400, Christopher Morrow wrote:
On 9/2/08, Todd Underwood <todd-nanog@renesys.com> wrote:
checking our current data, that block is not currently routed by any of our peers over the last month (i would assume ripe ris and routeviews report similar data, but i did not check them.
it's also probably worth stating that parts of 198.32/16 are never routed anywhere on the Internet (here comes bill to tell me 'who's Internet?' .....). Some is in use on private networks, some is in use at exchange points and not routed outside the immediate peers.
grump... ok... "who's internet"?
there he is!!! :) (thanks for restoring my faith in... humanity)
Most times, as I recall, epnet does a decent job of keeping the whois data or rdns data updated though, for things in use. (though possibly not for private uses)
rdns moreso that whois...
198.32.64.12 == AS-20144-has-not-REGISTERED-the-use-of-this-prefix. for instance? -chris
On Wed, Sep 03, 2008 at 10:00:41AM -0400, Christopher Morrow wrote:
On Wed, Sep 3, 2008 at 8:48 AM, <bmanning@vacation.karoshi.com> wrote:
On Tue, Sep 02, 2008 at 10:08:10PM -0400, Christopher Morrow wrote:
On 9/2/08, Todd Underwood <todd-nanog@renesys.com> wrote:
checking our current data, that block is not currently routed by any of our peers over the last month (i would assume ripe ris and routeviews report similar data, but i did not check them.
it's also probably worth stating that parts of 198.32/16 are never routed anywhere on the Internet (here comes bill to tell me 'who's Internet?' .....). Some is in use on private networks, some is in use at exchange points and not routed outside the immediate peers.
grump... ok... "who's internet"?
there he is!!! :) (thanks for restoring my faith in... humanity)
WHO'S THAT TRIP-TRAPPING ACROSS MY BRIDGE? (random thought of the day ... is there a real requirement to do routing at the level of granularity we seem to have fallen into? is there any reason to not do more bridging, creating larger broadcast domains? Such constructs are certainly more ammenable to device mobility, esp in the absence of workable mobil IP and the derth of EID/LOC splits... and there would be less route churn.... lots of good reasons)
Most times, as I recall, epnet does a decent job of keeping the whois data or rdns data updated though, for things in use. (though possibly not for private uses)
rdns moreso that whois...
198.32.64.12 == AS-20144-has-not-REGISTERED-the-use-of-this-prefix. for instance?
well that has been there for some time - we need not remove the clay-cap off that nuclear waste dump - let sleeping dogs lie.
-chris
--bill
well, actually.... this was the IP address used for l.root-servers.net from 1998-2008. so i guess you could say its never been used for anything. we are not currently routing that prefix and there should currently be nothing at that IP address. --bill On Tue, Sep 02, 2008 at 06:24:21PM -0400, Dan Mahoney, System Admin wrote:
Hello all,
While recently trying to debug a CEF issue, I found a good number of packets in my "debug cef drops" output that were all directed at 198.32.64.12 (which I see as being allocated to ep.net but completely unused).
Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
Now, as nearly as I can tell, this IP address has never been used for anything, but I see occasional references to it, such as here:
http://www.honeynet.org/papers/forensics/exploit.html
So the question is, should I just ignore this as a properly dropped packet due to "no route" (this provider is running defaultless, so unless such a route exists, it should be okay).
On the other hand, one of the other packets I'm seeing specifically refers to a DNS exploit, so should I then dispatch to people to trace down the source origin ? (Suffice it to say the resources are there to find it fairly easily, even if the source address is forged).
-Dan
--
--------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------
participants (14)
-
Aaron Glenn -
bmanning@vacation.karoshi.com -
Christopher Morrow -
Dan Mahoney, System Admin -
David Conrad -
Gadi Evron -
Joe Greco -
Lamar Owen -
micky coughes -
Patrick W. Gilmore -
Paul Wall -
Steve Conte -
Steven M. Bellovin -
Todd Underwood