As port 137 is the Netbios Name Service port are you *sure* this is a port scan and not a windows box (or other OS running NetBIOS crud) that simply has fat-fingered addresses configured?
--- () ascii ribbon campaign against html e-mail /\ www.asciiribbon.org > -----Original Message----- > From: Ted Fischer [mailto:t...@fred.net] > Sent: Sunday, 15 January, 2012 01:20 > To: nanog@nanog.org > Subject: Re: Whois 172/12 > > Thanks for the replies so far, but not what I was looking for. > > I should have specified that I've done several ns & dig lookups just to > make sure. > > We were supposed to have lit up the last of IPv4 last year. I would have > presumed that meant that there was nothing left. Since I can't find a > reference to 172/12 anywhere, one might be led to presume that it was > allocated somehow, to someone (perhaps inadvertently not recorded) since > there are - supposedly - no fresh IPv4 addresses left to allocate, and the > only reference to this block is that 172/8 is allocated to ARIN. It > doesn't even appear in RFC 5735. > > We all know about 172.16/12 - nothing left of that horse but glue. > > My question is about 172/12. Where is it, what is it's supposed purpose. > I'm almost sure it's an internal box. I just find it better to give a > professional answer to "why can't I use this" than just "you can't use > this and why is this address scanning you for udp/137 anyway". > > If someone can point out to me what was done with 172/12 I'd appreciate it. > > > Patrick opined: > > Read RFC1918. > > I didn't remember seeing anything about 172/12 in RFC1918. Looked at it > again. Is there something about 172/12 I missed? Thanks. > > > Likely a machine on his local network (i.e. behind the same NAT box) is > > hitting him. > > > > But that is not guaranteed. A packet with a source address of 172.0.x.x > > could be hitting his machine. Depends on how well you filter. Many > > networks only look at destination IP address, source can be anything - > > spoofed, un-NAT'ed, etc. He just wouldn't be able to send anything back > > to it (unless it was on the local LAN, as I mention above). > > > > -- > > TTFN, > > patrick > > > > > > On Jan 15, 2012, at 2:53 AM, Alex Ryu wrote: > > > >> As far as I know, 172.0.1.216 is not assigned, yet. > >> > >> whois -h whois.arin.net 172.0.1.216 > >> [whois.arin.net] > >> # > >> # Query terms are ambiguous. The query is assumed to be: > >> # "n 172.0.1.216" > >> # > >> # Use "?" to get help. > >> # > >> > >> No match found for 172.0.1.216. > >> > >> > >> > >> # > >> # ARIN WHOIS data and services are subject to the Terms of Use > >> # available at: https://www.arin.net/whois_tou.html > >> # > >> > >> Also, when you check BGP routing table, it is not routed at all. > >> > >> route-server.as3257.net>sh ip bgp 172.0.1.216 > >> % Network not in table > >> route-server.as3257.net> > >> > >> So it seems like forged IP address. > >> > >> Alex > >> > >> > >> On Sun, Jan 15, 2012 at 1:37 AM, Ted Fischer <t...@fred.net> wrote: > >>> Hi all, > >>> > >>> Tearing what's left of my hair out. > >>> > >>> A customer is getting scanned by a host claiming to be "172.0.1.216". > >>> > >>> I know this is bogus, but I want to go back to the customer with as > >>> much authoritative umph as I can (heaven forbid they just take my > >>> word). > >>> > >>> I'm pretty sure I read somewhere once that 172/12 was "reserved" or > >>> something like that. All I can find now is that 172/8 is "administered > >>> by > >>> ARIN". Lots of information on 172.16/12, but not a peep about > >>> 172/12. > >>> > >>> If anybody could provide some insight as to the > >>> allocation/non-allocation of this block, it would be much appreciated. > >>> > >>> Thanks. > >>> > >>> Ted Fischer > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >> > > > > > > > >