Hi all, Tearing what's left of my hair out. A customer is getting scanned by a host claiming to be "172.0.1.216". I know this is bogus, but I want to go back to the customer with as much authoritative umph as I can (heaven forbid they just take my word). I'm pretty sure I read somewhere once that 172/12 was "reserved" or something like that. All I can find now is that 172/8 is "administered by ARIN". Lots of information on 172.16/12, but not a peep about 172/12. If anybody could provide some insight as to the allocation/non-allocation of this block, it would be much appreciated. Thanks. Ted Fischer
As far as I know, 172.0.1.216 is not assigned, yet. whois -h whois.arin.net 172.0.1.216 [whois.arin.net] # # Query terms are ambiguous. The query is assumed to be: # "n 172.0.1.216" # # Use "?" to get help. # No match found for 172.0.1.216. # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html # Also, when you check BGP routing table, it is not routed at all. route-server.as3257.net>sh ip bgp 172.0.1.216 % Network not in table route-server.as3257.net> So it seems like forged IP address. Alex On Sun, Jan 15, 2012 at 1:37 AM, Ted Fischer <ted@fred.net> wrote:
Hi all,
Tearing what's left of my hair out.
A customer is getting scanned by a host claiming to be "172.0.1.216".
I know this is bogus, but I want to go back to the customer with as much authoritative umph as I can (heaven forbid they just take my word).
I'm pretty sure I read somewhere once that 172/12 was "reserved" or something like that. All I can find now is that 172/8 is "administered by ARIN". Lots of information on 172.16/12, but not a peep about 172/12.
If anybody could provide some insight as to the allocation/non-allocation of this block, it would be much appreciated.
Thanks.
Ted Fischer
Read RFC1918. Likely a machine on his local network (i.e. behind the same NAT box) is hitting him. But that is not guaranteed. A packet with a source address of 172.0.x.x could be hitting his machine. Depends on how well you filter. Many networks only look at destination IP address, source can be anything - spoofed, un-NAT'ed, etc. He just wouldn't be able to send anything back to it (unless it was on the local LAN, as I mention above). -- TTFN, patrick On Jan 15, 2012, at 2:53 AM, Alex Ryu wrote:
As far as I know, 172.0.1.216 is not assigned, yet.
whois -h whois.arin.net 172.0.1.216 [whois.arin.net] # # Query terms are ambiguous. The query is assumed to be: # "n 172.0.1.216" # # Use "?" to get help. #
No match found for 172.0.1.216.
# # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html #
Also, when you check BGP routing table, it is not routed at all.
route-server.as3257.net>sh ip bgp 172.0.1.216 % Network not in table route-server.as3257.net>
So it seems like forged IP address.
Alex
On Sun, Jan 15, 2012 at 1:37 AM, Ted Fischer <ted@fred.net> wrote:
Hi all,
Tearing what's left of my hair out.
A customer is getting scanned by a host claiming to be "172.0.1.216".
I know this is bogus, but I want to go back to the customer with as much authoritative umph as I can (heaven forbid they just take my word).
I'm pretty sure I read somewhere once that 172/12 was "reserved" or something like that. All I can find now is that 172/8 is "administered by ARIN". Lots of information on 172.16/12, but not a peep about 172/12.
If anybody could provide some insight as to the allocation/non-allocation of this block, it would be much appreciated.
Thanks.
Ted Fischer
Thanks for the replies so far, but not what I was looking for. I should have specified that I've done several ns & dig lookups just to make sure. We were supposed to have lit up the last of IPv4 last year. I would have presumed that meant that there was nothing left. Since I can't find a reference to 172/12 anywhere, one might be led to presume that it was allocated somehow, to someone (perhaps inadvertently not recorded) since there are - supposedly - no fresh IPv4 addresses left to allocate, and the only reference to this block is that 172/8 is allocated to ARIN. It doesn't even appear in RFC 5735. We all know about 172.16/12 - nothing left of that horse but glue. My question is about 172/12. Where is it, what is it's supposed purpose. I'm almost sure it's an internal box. I just find it better to give a professional answer to "why can't I use this" than just "you can't use this and why is this address scanning you for udp/137 anyway". If someone can point out to me what was done with 172/12 I'd appreciate it. Patrick opined:
Read RFC1918.
I didn't remember seeing anything about 172/12 in RFC1918. Looked at it again. Is there something about 172/12 I missed? Thanks.
Likely a machine on his local network (i.e. behind the same NAT box) is hitting him.
But that is not guaranteed. A packet with a source address of 172.0.x.x could be hitting his machine. Depends on how well you filter. Many networks only look at destination IP address, source can be anything - spoofed, un-NAT'ed, etc. He just wouldn't be able to send anything back to it (unless it was on the local LAN, as I mention above).
-- TTFN, patrick
On Jan 15, 2012, at 2:53 AM, Alex Ryu wrote:
As far as I know, 172.0.1.216 is not assigned, yet.
whois -h whois.arin.net 172.0.1.216 [whois.arin.net] # # Query terms are ambiguous. The query is assumed to be: # "n 172.0.1.216" # # Use "?" to get help. #
No match found for 172.0.1.216.
# # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html #
Also, when you check BGP routing table, it is not routed at all.
route-server.as3257.net>sh ip bgp 172.0.1.216 % Network not in table route-server.as3257.net>
So it seems like forged IP address.
Alex
On Sun, Jan 15, 2012 at 1:37 AM, Ted Fischer <ted@fred.net> wrote:
Hi all,
Tearing what's left of my hair out.
A customer is getting scanned by a host claiming to be "172.0.1.216".
I know this is bogus, but I want to go back to the customer with as much authoritative umph as I can (heaven forbid they just take my word).
I'm pretty sure I read somewhere once that 172/12 was "reserved" or something like that. All I can find now is that 172/8 is "administered by ARIN". Lots of information on 172.16/12, but not a peep about 172/12.
If anybody could provide some insight as to the allocation/non-allocation of this block, it would be much appreciated.
Thanks.
Ted Fischer
On 15 Jan 2012, at 09:20, "Ted Fischer" <ted@fred.net> wrote:
My question is about 172/12. Where is it, what is it's supposed purpose.
See IANA which tells you at http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml That ARIN is handling it. As their whois does not have anything for it, and BGP does not have it it obviously is unused as of yet and somebody is just spoofing. Solution: implement BCP38 in your network. Note that IANA has run out of v4, the RIRs themselves have quite a bit left, obviously, ARIN still has big chunks of 172/8.
I'm almost sure it's an internal box.
Then apply BCP38 and figure out where it lives.
I just find it better to give a professional answer to "why can't I use this" than just "you can't use this and why is this address scanning you for udp/137 anyway"
It is not their address space, as such they are not supposed to use it. What is so difficult about that answer?! Greets, Jeroen
On Sun, Jan 15, 2012 at 2:20 AM, Ted Fischer <ted@fred.net> wrote:
We were supposed to have lit up the last of IPv4 last year. I would have presumed that meant that there was nothing left. Since I can't find a
Not a good assumption. There remains IPv4 address space that has not yet been assigned to any network, but is available for assignment. 172/12 appears to likely fall into that category. there are - supposedly - no fresh IPv4 addresses left to allocate, and the
only reference to this block is that 172/8 is allocated to ARIN. It doesn't even appear in RFC 5735.
Just because ARIN does not appear to have allocated networks from 172/12 yet does not mean this address space is unavailable, not part of the free pool, or will not be allocated from by ARIN in the future. Just a /12 is a very small shard of IP address space. This is also part of a legacy /8. My question is about 172/12. Where is it, what is it's supposed purpose.
This falls under IP addresses that can be assigned to networks but have not yet been recorded as assigned to any networks.
I'm almost sure it's an internal box. I just find it better to give a professional answer to "why can't I use this" than just "you can't use
Only the RFC1918 IP address space is reserved for use by private networks. 172/12 is not reserved by RFC, therefore portions of it that are unallocated could be allocated at any time. this and why is this address scanning you for udp/137 anyway".
Something is generating packets sourced with an IP address in that range which should not be using that source IP address. It could be a device misconfiguration, or it could be intentional IP address spoofing.
If someone can point out to me what was done with 172/12 I'd appreciate it.
-- -JH
On Sun, 15 Jan 2012, Ted Fischer wrote:
Thanks for the replies so far, but not what I was looking for.
I should have specified that I've done several ns & dig lookups just to make sure.
We were supposed to have lit up the last of IPv4 last year. I would have presumed that meant that there was nothing left. Since I can't find a reference to 172/12 anywhere, one might be led to presume that it was allocated somehow, to someone (perhaps inadvertently not recorded) since there are - supposedly - no fresh IPv4 addresses left to allocate, and the only reference to this block is that 172/8 is allocated to ARIN. It doesn't even appear in RFC 5735.
While IANA allocated the last of the free IPv4 address pool to the 5 recognized RIRs on 3 Feb 2011, that doesn't mean that all of those IPv4 addresses were immediately assigned to providers or end-users. The RIRs will exhaust their supplies of assignable IPv4 address space at different times, depend on their 'end game' assignment strategies and their overall consumption rate. APNIC exhausted most of their available address space by last April. 172/8 was a legacy block, from which 172.16/12 was allocated for RFC 1918. Looking at http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml shows many of the legacy allocations being administered by ARIN, but also a few being administered by RIPE and APNIC. There is a difference between an RIR being tasked with administering a chunk of legacy space and being officially allocated a chunk of space by IANA. In the case of 172/8, it was allocated in the InterNIC days, so users could be scattered all over the world, but ARIN handles in-addr.arpa delegation for it. Since ARIN was not (as far as I know) formally tasked with allocating remaining space from 172/8, that space it will not be assigned to SPs or users by ARIN.
My question is about 172/12. Where is it, what is it's supposed purpose. I'm almost sure it's an internal box. I just find it better to give a professional answer to "why can't I use this" than just "you can't use this and why is this address scanning you for udp/137 anyway".
As others have pointed out, if 172.0.0.0/12 or some subset of it doesn't exist in the global routing table, then the packets you saw are either coming from outside of your network - spoofed - or coming from somewhere inside your network.
If someone can point out to me what was done with 172/12 I'd appreciate it.
I'm not aware of anything more detailed that what I've noted above or what other posted have contributed to this thread. jms
As port 137 is the Netbios Name Service port are you *sure* this is a port scan and not a windows box (or other OS running NetBIOS crud) that simply has fat-fingered addresses configured? --- () ascii ribbon campaign against html e-mail /\ www.asciiribbon.org
-----Original Message----- From: Ted Fischer [mailto:ted@fred.net] Sent: Sunday, 15 January, 2012 01:20 To: nanog@nanog.org Subject: Re: Whois 172/12
Thanks for the replies so far, but not what I was looking for.
I should have specified that I've done several ns & dig lookups just to make sure.
We were supposed to have lit up the last of IPv4 last year. I would have presumed that meant that there was nothing left. Since I can't find a reference to 172/12 anywhere, one might be led to presume that it was allocated somehow, to someone (perhaps inadvertently not recorded) since there are - supposedly - no fresh IPv4 addresses left to allocate, and the only reference to this block is that 172/8 is allocated to ARIN. It doesn't even appear in RFC 5735.
We all know about 172.16/12 - nothing left of that horse but glue.
My question is about 172/12. Where is it, what is it's supposed purpose. I'm almost sure it's an internal box. I just find it better to give a professional answer to "why can't I use this" than just "you can't use this and why is this address scanning you for udp/137 anyway".
If someone can point out to me what was done with 172/12 I'd appreciate it.
Patrick opined:
Read RFC1918.
I didn't remember seeing anything about 172/12 in RFC1918. Looked at it again. Is there something about 172/12 I missed? Thanks.
Likely a machine on his local network (i.e. behind the same NAT box) is hitting him.
But that is not guaranteed. A packet with a source address of 172.0.x.x could be hitting his machine. Depends on how well you filter. Many networks only look at destination IP address, source can be anything - spoofed, un-NAT'ed, etc. He just wouldn't be able to send anything back to it (unless it was on the local LAN, as I mention above).
-- TTFN, patrick
On Jan 15, 2012, at 2:53 AM, Alex Ryu wrote:
As far as I know, 172.0.1.216 is not assigned, yet.
whois -h whois.arin.net 172.0.1.216 [whois.arin.net] # # Query terms are ambiguous. The query is assumed to be: # "n 172.0.1.216" # # Use "?" to get help. #
No match found for 172.0.1.216.
# # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html #
Also, when you check BGP routing table, it is not routed at all.
route-server.as3257.net>sh ip bgp 172.0.1.216 % Network not in table route-server.as3257.net>
So it seems like forged IP address.
Alex
On Sun, Jan 15, 2012 at 1:37 AM, Ted Fischer <ted@fred.net> wrote:
Hi all,
Tearing what's left of my hair out.
A customer is getting scanned by a host claiming to be "172.0.1.216".
I know this is bogus, but I want to go back to the customer with as much authoritative umph as I can (heaven forbid they just take my word).
I'm pretty sure I read somewhere once that 172/12 was "reserved" or something like that. All I can find now is that 172/8 is "administered by ARIN". Lots of information on 172.16/12, but not a peep about 172/12.
If anybody could provide some insight as to the allocation/non-allocation of this block, it would be much appreciated.
Thanks.
Ted Fischer
Jesus. 172.16/12 fine .. that's rfc1918. The rest of 172/8 is mostly unallocated. On Sun, Jan 15, 2012 at 1:28 PM, Patrick W. Gilmore <patrick@ianai.net> wrote:
Read RFC1918.
Likely a machine on his local network (i.e. behind the same NAT box) is hitting him.
But that is not guaranteed. A packet with a source address of 172.0.x.x
-- Suresh Ramasubramanian (ops.lists@gmail.com)
<quote>Jesus. 172.16/12 fine .. that's rfc1918. The rest of 172/8 is mostly unallocated.</quote> What's with the language? Ephesians 4:32 & Cheers!!! -----Original Message----- From: Suresh Ramasubramanian [mailto:ops.lists@gmail.com] Sent: Sunday, January 15, 2012 12:35 AM To: Patrick W. Gilmore Cc: NANOG list Subject: Re: Whois 172/12 Jesus. 172.16/12 fine .. that's rfc1918. The rest of 172/8 is mostly unallocated. On Sun, Jan 15, 2012 at 1:28 PM, Patrick W. Gilmore <patrick@ianai.net> wrote:
Read RFC1918.
Likely a machine on his local network (i.e. behind the same NAT box) is hitting him.
But that is not guaranteed. A packet with a source address of 172.0.x.x
-- Suresh Ramasubramanian (ops.lists@gmail.com)
So kind, compassionate and forgiving that I'll buy Patrick a beer when I see him next, its been a long time. --srs On Sun, Jan 15, 2012 at 9:46 PM, Network IP Dog <network.ipdog@gmail.com> wrote:
<quote>Jesus. 172.16/12 fine .. that's rfc1918. The rest of 172/8 is mostly unallocated.</quote>
What's with the language?
Ephesians 4:32 & Cheers!!!
-- Suresh Ramasubramanian (ops.lists@gmail.com)
On Sun, 2012-01-15 at 14:05 +0530, Suresh Ramasubramanian wrote:
> Jesus. 172.16/12 fine .. that's rfc1918. The rest of 172/8 is mostly
> unallocated.
And for almost all of it, there is Team Cymru:
>show ip route 172.0.0.0
Routing entry for 172.0.0.0/9, supernet
Known via "bgp", distance 20, metric 0
Tag 65332, type external
Last update from 192.0.2.1 3w1d ago
Routing Descriptor Blocks:
* 192.0.2.1, from 38.229.66.20, 3w1d ago
Route metric is 0, traffic share count is 1
AS Hops 1
Route tag 65332
MPLS label: none
(192.0.2.1 is null routed statically)
http://www.team-cymru.org/Services/Bogons/
A very handy service!
Tom
From nanog-bounces+bonomi=mail.r-bonomi.com@nanog.org Sun Jan 15 02:02:00 2012 Subject: Re: Whois 172/12 From: "Patrick W. Gilmore" <patrick@ianai.net> Date: Sun, 15 Jan 2012 02:58:11 -0500 To: NANOG list <nanog@nanog.org>
Read RFC1918.
Likely a machine on his local network (i.e. behind the same NAT box) is hitting him.
Patrick, I'v read RFC-1918. I cannot find *any* reference to 172.0/12, as the OP was asking about. 172.16/12, yes. but not 172.0/12. Can you please clarify your advice? ZZ
On Sun, Jan 15, 2012 at 06:36:12AM -0600, Robert Bonomi wrote:
From nanog-bounces+bonomi=mail.r-bonomi.com@nanog.org Sun Jan 15 02:02:00 2012 Subject: Re: Whois 172/12 From: "Patrick W. Gilmore" <patrick@ianai.net> Date: Sun, 15 Jan 2012 02:58:11 -0500 To: NANOG list <nanog@nanog.org>
Read RFC1918.
Likely a machine on his local network (i.e. behind the same NAT box) is hitting him.
Patrick, I'v read RFC-1918. I cannot find *any* reference to 172.0/12, as the OP was asking about. 172.16/12, yes. but not 172.0/12. Can you please clarify your advice?
ZZ
so as a stylistic point, 172/12 is supposed to equal 172.0.0.0/12? if memory serves, back in the day, there were records of allocations in this space, pre-ARIN. When RFC 1918 was settled on, there were some folks blocking 172.0.0.0/8 so there was talk of relocating those folks into other space. /bill
On Sun, 15 Jan 2012 bmanning@vacation.karoshi.com wrote:
so as a stylistic point, 172/12 is supposed to equal 172.0.0.0/12?
Yeah...it's pretty common to drop the zeros when talkind CIDR.
if memory serves, back in the day, there were records of allocations in this space, pre-ARIN. When RFC 1918 was settled on, there were some folks blocking 172.0.0.0/8 so there was talk of relocating those folks into other space.
AOL has and uses (publicly) a bunch of space in 172/8. In fact, looking at a BGP table, I'd say they're by far the largest user (one of the only) in that /8. For the OP...that scan traffic coming from 172.0.1.216 could be locally generated, or could be coming from the internet, either from someone announcing it briefly, or from a leaky NAT (just because it's not rfc1918 space doesn't mean someone didn't pick it out of their nether regions as the "private network" for some NAT'd network). There are resources where you can check to see if 172.0.1/24 or larger networks have been announced recently (left as an exercise for the reader). If it hasn't, then the "scans" probably aren't being very effective since there can be no reply. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Sun, Jan 15, 2012 at 8:54 AM, Jon Lewis <jlewis@lewis.org> wrote:
AOL has and uses (publicly) a bunch of space in 172/8. In fact, looking at a BGP table, I'd say they're by far the largest user (one of the only) in that /8.
We, AOL, have 172.128/10, 172.192/12, 172.208/13, 172.216/16. These blocks represent our dial-up ISP customers that can't seem to get broadband or for whatever reason, stay on dial-up. Also pretty amazingly is how high the simultaneous user count has stayed, guess the folks that left weren't the ones on in the evenings between 7-10pm ET. We (mostly me) are looking into solutions to be able to remove the reliance on this space. Unfortunately, most of the developers, who created the various servers/applications that dole out these addresses, all left in the late 90's with some pretty fat wallets; at this point... it's an archeology dig. Jay -- Jay Moran http://tp.org/jay
On 15 Jan 2012, at 07:39, "Ted Fischer" <ted@fred.net> wrote:
Hi all,
Tearing what's left of my hair out.
A customer is getting scanned by a host claiming to be "172.0.1.216".
I know this is bogus, but I want to go back to the customer with as much authoritative umph as I can (heaven forbid they just take my word).
I'm pretty sure I read somewhere once that 172/12 was "reserved" or something like that. All I can find now is that 172/8 is "administered by ARIN". Lots of information on 172.16/12, but not a peep about 172/12.
If anybody could provide some insight as to the allocation/non-allocation of this block, it would be much appreciated.
Thanks.
Ted Fischer
I would look for the prefix in your BGP table and in a couple of looking glasses and show the empty output. If its not there, then it is bogus. -- Leigh ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
participants (15)
-
Alex Ryu -
bmanning@vacation.karoshi.com -
Jay Moran -
Jeroen Massar -
Jimmy Hess -
Jon Lewis -
Justin M. Streiner -
Keith Medcalf -
Leigh Porter -
Network IP Dog -
Patrick W. Gilmore -
Robert Bonomi -
Suresh Ramasubramanian -
Ted Fischer -
Tom Hill