Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 27 Jan 2000 23:54:56 -0800 (PST)
From:      "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
To:        brett@lariat.org (Brett Glass)
Cc:        dillon@apollo.backplane.com (Matthew Dillon), security@FreeBSD.ORG
Subject:   Re: Riddle me this
Message-ID:  <200001280754.XAA80366@gndrsh.dnsmgr.net>
In-Reply-To: <4.2.2.20000127171529.00c56a00@localhost> from Brett Glass at "Jan 27, 2000 05:21:50 pm"

next in thread | previous in thread | raw e-mail | index | archive | help
> At 09:25 PM 1/26/2000 , Matthew Dillon wrote:
> 
> >    It's hard to say without doing a continuous tcpdump but the most likely
> >     possibility is that someone was playing a game or doing something else
> >     related to sending and receiving UDP packets, and then disconnected.  
> 
> Actually, I think I just found out what it was.
> 
> Two words: HP JetAdmin.
...

> And it gets worse. The default address of the print server hardware -- which
> the client software tries to reach when it's setting up -- is (are you ready?)
> 192.0.0.192.
> 
> This isn't a legal address, nor is it a standard "unregistered" address for
> a private subnet. So, natd tries to route it.

Do you even know how to check for that:
whois -a 192.0.0.192

IANA


 (RESERVED-2)		RESERVED-192	     192.0.0.0 - 192.0.255.255
IANA
 (NET-ROOT-NS-LAB)	ROOT-NS-LAB			     192.0.0.0

To single out one record, look it up with "!xxx", where xxx is the
handle, shown in parenthesis following the name, which comes first.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and nic.mil for NIPRNET Information.

Great, looks like ARIN doesn't know what netascii is any more... ARGGHH!!


whois -a NET-ROOT-NS-LAB
IANA
 (NET-ROOT-NS-LAB)
   c/o Information Sciences Institute
   4676 Admiralty Way, Suite 330
   Marina del Rey, CA 90292-6695

   Netname: ROOT-NS-LAB
   Netnumber: 192.0.0.0

   Coordinator:
      Internet Assigned Numbers Authority  (IANA-ARIN)  iana@IANA.ORG
      (310) 823-9358
Fax- (310) 823-8649

   Domain System inverse mapping provided by:

   ORB.ISI.EDU			128.9.160.66

   Record last updated on 14-Oct-1999.
   Database last updated on 27-Jan-2000 17:26:04 EDT.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and nic.mil for NIPRNET Information.

> We really ought to block this by default by putting a "black hole" entry in
> the system routing table. It certainly should not ever be routed.... Cisco
> routers automatically blackhole it.

Nope, it is valid routable IP space.   Someone should smash HP up side
the head, 192.0.2.0/24 is the more correct place to do this.

And you don't really need to blackhole it, the space is pretty much
unroutable globally anyway (confirmed on a 15 AS peer bgp cisco),
given in simple form from a unix box here:
                -- J. Paul Getty
:rgrimes {101}% netstat -rn | grep ^192.0
192.0.32           205.238.40.1       UGc         0        0      de0
192.0.34           205.238.40.1       UGc         0        0      de0

-- 
Rod Grimes - KD7CAX @ CN85sl - (RWG25)               rgrimes@gndrsh.dnsmgr.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001280754.XAA80366>