They do. What you are seeing are probably forged packets. Nmap etc. all let
you forge SIP, in fact they automate it. One Nmap mode actually actively
obfuscates network scans by doing random SIPs--e.g. 10,000 random SIPs and one
real one--this makes it hard to figure out who is actually scanning your
networks.
Of course, if you don't filter incoming traffic on your inner interfaces, then
the traffic could be from your own network. A lot of people filter only on
their external ints:
outgoing traffic limited to [mynetwork1, mynetwork2, mynetwork3]
incoming traffic limited to [public IP addresses]
Make sense?
--Patrick Darden
--Internetworking Manager
--ARMC
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
Drew Weaver
Sent: Tuesday, November 13, 2007 10:09 AM
To: [email protected]
Subject: General question on rfc1918
Hi there, I just had a real quick question. I hope this is found to be
on topic.
Is it to be expected to see rfc1918 src'd packets coming from transit carriers?
We have filters in place on our edge (obviously) but should we be seeing
traffic from 192.168.0.0 and 10.0.0.0 et cetera hitting our transit interfaces?
I guess I'm not sure why large carrier networks wouldn't simply filter this in
their core?
Thanks,
-Drew
