Date: Wed, 19 Dec 2001 15:45:16 -0600 From: Dan Nelson <dnelson@allantgroup.com> To: parv <parv_@yahoo.com> Cc: f-q <freebsd-questions@FreeBSD.ORG> Subject: Re: any way to locate the real source ip of an 10/8 address? Message-ID: <20011219214515.GB30574@dan.emsphone.com> In-Reply-To: <20011218133818.A23891@moo.holy.cow> References: <20011218133818.A23891@moo.holy.cow>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Dec 18), parv said: > is there hope of locating the real ip address behind an 10.0.0.0/8 > address in general? > > i wouldn't have mind it if ipf blocked only a few of them. but i > am seeing an ip address blocked very often. below are two of the >90 > ipf alerts w/ most relevant information... > > b 10.112.1.1,80 -> a.b.c.d,port PR tcp len 20 1500 -A 1044505376 3051010357 17140 IN > b 10.112.1.1,80 -> a.b.c.d,port PR tcp len 20 817 -AFP 248335848 1496692188 17204 IN Chances are this *is* the real IP of some machine at timex, and their NAT is somehow letting these packets through, AND their ISP is not blocking the invalid packets from entering the Internet. Double trouble. I don't see these because my border router has packet filters that block invalid/spoofed IPs from entering my network. They look like leaked ACKs from a TCP request from your machine a.b.c.d to the webserver at the 10.* machine. -- Dan Nelson dnelson@allantgroup.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011219214515.GB30574>