[c-nsp] something a little different rfc1918 from transitnetworks?

Eric Van Tol eric at atlantech.net
Tue Nov 13 10:29:28 EST 2007


I think the question the OP is asking is, why would the same exact
address be seen from two different peers, each 3 seconds apart?  If this
is the real question, I would assume that since 192.168.1.2 is a pretty
common rfc1918 address, that they are two different machines on separate
providers.  However, it's still very strange and I would say
statistically improbable.

With that said, the answers provided thus far are also correct.  There
is really no way to tell whether they are spoofed or sourced from an
actual address without tracking it down all the way to the source.

-evt

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Freedman
> Sent: Tuesday, November 13, 2007 10:04 AM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] something a little different rfc1918 
> from transitnetworks?
> 
> Drew Weaver wrote:
> > SLOT 6:Nov 12 17:10:36.121 EST: %SEC-6-IPACCESSLOGP: list 
> 175 denied tcp 192.168
> > .1.2(0) (GigabitEthernet2 ) -> ip.add.re.ss(0), 1 packet
> > SLOT 10:Nov 12 17:10:39.841 EST: %SEC-6-IPACCESSLOGP: list 
> 175 denied tcp 192.16
> > 8.1.2(0) (GigabitEthernet0 ) -> ip.add.re.ss(0), 1 packet
> > 
> > This is the first time I can say I've ever seen this, I'm 
> assuming its spoofed but I'm not going to rule anything out here.
> > 
> > Lets say that slot 6/2 is connected to one transit carrier 
> and slot 10/0 is connected to another transit carrier (which 
> is the case)
> 
> This is normal, somebody reachable via your upstream (posibly a 
> downstream or peer without uRPF configured) has been sending packets 
> sourced from these addresses.
> 
> 
> > 
> > I'm trying to figure out if those 192.168.1.2 packets that 
> my ACL 175 are denying are actually SRC'd from 192.168.1.2 or 
> they're spoofed, 
> > is there anyway to know that for sure?
> 
> Of course they are sourced from 192.168.1.2, in so much as 
> somebody has 
> created packets with this as the source address and their network 
> provider has not filtered them.
> 
> > 
> > Any thoughts or advice?
> 
> Its normal, providing you filter RFC1918 as part of your 
> standard bogon 
> filtering you shouldn't need to lose any sleep over it.
> 
> Dave.
> 
> 
> > 
> > Thanks,
> > -Drew
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


More information about the cisco-nsp mailing list