From owner-freebsd-security Thu Jan 27 23:55:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 40C8F14DF6 for ; Thu, 27 Jan 2000 23:55:25 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id XAA80366; Thu, 27 Jan 2000 23:54:57 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200001280754.XAA80366@gndrsh.dnsmgr.net> Subject: Re: Riddle me this In-Reply-To: <4.2.2.20000127171529.00c56a00@localhost> from Brett Glass at "Jan 27, 2000 05:21:50 pm" To: brett@lariat.org (Brett Glass) Date: Thu, 27 Jan 2000 23:54:56 -0800 (PST) Cc: dillon@apollo.backplane.com (Matthew Dillon), security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > At 09:25 PM 1/26/2000 , Matthew Dillon wrote: > > > It's hard to say without doing a continuous tcpdump but the most likely > > possibility is that someone was playing a game or doing something else > > related to sending and receiving UDP packets, and then disconnected. > > Actually, I think I just found out what it was. > > Two words: HP JetAdmin. ... > And it gets worse. The default address of the print server hardware -- which > the client software tries to reach when it's setting up -- is (are you ready?) > 192.0.0.192. > > This isn't a legal address, nor is it a standard "unregistered" address for > a private subnet. So, natd tries to route it. Do you even know how to check for that: whois -a 192.0.0.192 IANA (RESERVED-2) RESERVED-192 192.0.0.0 - 192.0.255.255 IANA (NET-ROOT-NS-LAB) ROOT-NS-LAB 192.0.0.0 To single out one record, look it up with "!xxx", where xxx is the handle, shown in parenthesis following the name, which comes first. The ARIN Registration Services Host contains ONLY Internet Network Information: Networks, ASN's, and related POC's. Please use the whois server at rs.internic.net for DOMAIN related Information and nic.mil for NIPRNET Information. Great, looks like ARIN doesn't know what netascii is any more... ARGGHH!! whois -a NET-ROOT-NS-LAB IANA (NET-ROOT-NS-LAB) c/o Information Sciences Institute 4676 Admiralty Way, Suite 330 Marina del Rey, CA 90292-6695 Netname: ROOT-NS-LAB Netnumber: 192.0.0.0 Coordinator: Internet Assigned Numbers Authority (IANA-ARIN) iana@IANA.ORG (310) 823-9358 Fax- (310) 823-8649 Domain System inverse mapping provided by: ORB.ISI.EDU 128.9.160.66 Record last updated on 14-Oct-1999. Database last updated on 27-Jan-2000 17:26:04 EDT. The ARIN Registration Services Host contains ONLY Internet Network Information: Networks, ASN's, and related POC's. Please use the whois server at rs.internic.net for DOMAIN related Information and nic.mil for NIPRNET Information. > We really ought to block this by default by putting a "black hole" entry in > the system routing table. It certainly should not ever be routed.... Cisco > routers automatically blackhole it. Nope, it is valid routable IP space. Someone should smash HP up side the head, 192.0.2.0/24 is the more correct place to do this. And you don't really need to blackhole it, the space is pretty much unroutable globally anyway (confirmed on a 15 AS peer bgp cisco), given in simple form from a unix box here: -- J. Paul Getty :rgrimes {101}% netstat -rn | grep ^192.0 192.0.32 205.238.40.1 UGc 0 0 de0 192.0.34 205.238.40.1 UGc 0 0 de0 -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message