Re: Odd TCP Probe w/ 192.168.1.* IP

Fri, 7 May 1999 21:52:46 -0700 

Joshua Chamas wrote:

> Hey,
>
> One of my machines just got probed by a set of IPs
> during the same _TCP_ probe, one of which is an illegal
> 192.168.1.*
>
> My understanding was that 192.168.1.* addresses wouldn't
> be routable, and that having the probe alternate IPs
> also concerns me.

they shouldnt be... The question is  how is the border router configured
on your side? If they are getting in from your "neighbors: other clients
on your ISPs network".... then that could be one source for them (pun
intended)...

> So I wonder what kind of danger there might be here.
> Could this be some kind of "stealth" probe.  What good
> would it do a scanner to alternate IP's ?  Is the
> 192.168.1.* some sort of primer?

Yup... most modern scanners can now also spoof source addresses. nmap
(http://www.insecure.org/nmap) can do it with its "-D decoy" option
giving the same results that you saw in your logs. The idea is that the
scan sends many decoys as source addresses (not caring if they finally
get to the decoys, but does get back to one real address and that the
scan be "lost in the crowd"...

[for a list of nmap features, check the man page at
http://www.insecure.org:80/nmap/nmap_manpage.html]

> Someone please enlighten me as this challenges my knowledge
> of IP networking.

[snip rest of log]


BTW.. Personally I love nmap... It has been an extremely valuable tool
for me in diagnosing security holes in my own networks.... I am just
glad that we have access to it.....


--
-
---
Sami Yousif

mailto:[EMAIL PROTECTED]
http://www.mav.net/teddyr/syousif/ Personal Page
http://www.alug.org/   Amarillo Linux Users Group

[eMail sent to any of my addresses is subject to the Conditions outlined

in http://www.mav.net/teddyr/emailtos.shtml]

[Note: I no longer support ARNet (arn.net) as an ISP nor WTAMU
(wtamu.edu) as an educational institution nor LEK (lektech.com) as a
Computer Supplier] {http://www.mav.net/teddyr/access/banned.shtml}

[heard somewhere: "You have the right to remain clueless. Anything you
know may be used against you in a court of law"]

Another day, so many more LARTS to go. [BOFH, BUFH, JOAT]

"Understanding is a three edge sword: Our side, Their Side, and the
Truth" Babylon 5

<time is on my side>

Tuesday, January 19th 2038, 03:14:07 UTC: Are YOU Ready?

S/MIME Cryptographic Signature

Reply via email to