On Fri, 8 Mar 2002, Michael D. Schleif wrote:
>
> Jeff Newmiller wrote:
> >
> > On Fri, 8 Mar 2002, Michael D. Schleif wrote:
> >
> > > We are seeing martians on internal networks on a regular basis.
> > >
> > > Usually, it is traceable to users logging into AOL over our high speed
> > > internet connections:
> > >
> > > 172.128.0.0 - 172.191.255.255
> > >
> > > Today, we saw one from United Airlines:
> > >
> > > 205.174.16.0 - 205.174.23.255
> > >
> > > [1] How does this happen?
> >
> > I often wonder how it happens that people who should know better fail to
> > provide specific error and log messages and explain what they know about
> > the particulars of the ip addresses, routes, machines and connections
> > involved. It is hard to trust reports as sanitized as this.
>
> Jeff, I respect your intelligence and firewall skills; however, if you
> read exactly what I posted, then you will know exactly what there is to
> know.
Troubleshooting is like a tree... if you only describe the trunk and one
branch, we cannot be expected to describe the right twig for you to look
at.
> > On the surface, the idea that packets should be generated within your LAN
> > with source addresses outside your network would suggest something is
> > seriously broken (accidentally or purposefully) with the workstation
> > generating the packets.
>
> That is one idea, isn't it?
>
> > > [2] Why does this happen?
> >
> > Speculation: if your AOL users are actually dialling into AOL while being
> > on the network, they may be temporarily acquiring an IP from AOL, and
> > Windows could possibly screw up and ships packets out the wrong interface.
> > However, something would have to be pretty weird with the AOL software if
> > it decided it had an AOL IP even if no dialup had occurred. There could
> > possibly be overlap when a dialup connection was lost as well.
>
> Please, please, please, read my post and respond accordingly:
>
> `` ... users logging into AOL over our high speed internet connections
> ... ''
I read that. See below.
> They are *NOT* _dialing_ into AOL !!!
>
> Or, even if they were, the questions remain the same -- what's the
> difference?
Each interface is supposed to have an ip address. If the wrong IP address
is appearing on an outbound packet, the first possibility that presents
itself to my mind is that a port bound on one interface is somehow sending
packets out on another interface.
The second interface may not be a dialup interface... but it is an obvious
one that you did not explicitly rule out in your first post. If some
tunnelling is going on, then virtual interfaces could be
involved. However, Occam's Razor suggests that the simplest solution is
the most likely one. Since I am not aware of tunnelling in the described
software, and dialups are very common with that software, I speculated.
>
> > > [3] Is this exploitable?
> >
> > Insufficient data.
>
> How much data will suffice?
>
> A smattering of log entries:
>
> Feb 26 08:17:36 redtrout kernel: martian source 0b49a2ac for ffffffff,
> dev eth1
> Feb 26 08:21:11 redtrout kernel: martian source 490b99ac for ffffffff,
> dev eth1
[...]
While you may feel like you are conveying some message about the
unreasonableness of my request, you are actually spewing on a public
mailing list. A few samples, with a summary of the interfaces involved,
and the routing table for one of these "AOL" computers would be much more
effective.
>
>
> For those who cannot be bothered to find their hex calculators:
>
> 0.0.234.239 efea0000
> 12.248.73.21 1549f80c
> 24.147.110.151 976e9318
[...]
> 172.128.190.181 b5be80ac
> 172.129.46.164 a42e81ac
[...]
> What more do you need?
On an offending workstation,
ipconfig
netstat -rn
netstat -a
I am not as familiar with networking on Windows as I am on Linux, but I
have some reference books and the problem here is not on the firewall.
On Linux I would use lsof also, but I don't know what the equivalent would
be under Windows. MSINFO.EXE?
---------------------------------------------------------------------------
Jeff Newmiller The ..... ..... Go Live...
DCN:<[EMAIL PROTECTED]> Basics: ##.#. ##.#. Live Go...
Live: OO#.. Dead: OO#.. Playing
Research Engineer (Solar/Batteries O.O#. #.O#. with
/Software/Embedded Controllers) .OO#. .OO#. rocks...2k
---------------------------------------------------------------------------
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
