[c-nsp] something a little different rfc1918 from transit networks?

Church, Charles cchurc05 at harris.com
Tue Nov 13 10:05:46 EST 2007


Could be spoofed, could be no one is doing any uRPF or similar filtering
between the source and you.  Could be a mis-configured NAT at the
source, and they were supposed to be NATed.  Is the destination
something useful like a public web server, or does it look more
sinister?  What's the TTL on it when it gets to you? 

Chuck

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Drew Weaver
Sent: Tuesday, November 13, 2007 9:46 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] something a little different rfc1918 from transit
networks?

SLOT 6:Nov 12 17:10:36.121 EST: %SEC-6-IPACCESSLOGP: list 175 denied tcp
192.168
.1.2(0) (GigabitEthernet2 ) -> ip.add.re.ss(0), 1 packet
SLOT 10:Nov 12 17:10:39.841 EST: %SEC-6-IPACCESSLOGP: list 175 denied
tcp 192.16
8.1.2(0) (GigabitEthernet0 ) -> ip.add.re.ss(0), 1 packet

This is the first time I can say I've ever seen this, I'm assuming its
spoofed but I'm not going to rule anything out here.

Lets say that slot 6/2 is connected to one transit carrier and slot 10/0
is connected to another transit carrier (which is the case)

I'm trying to figure out if those 192.168.1.2 packets that my ACL 175
are denying are actually SRC'd from 192.168.1.2 or they're spoofed, is
there anyway to know that for sure?

Any thoughts or advice?

Thanks,
-Drew
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list