From owner-freebsd-security  Tue Jun 25 16:23:49 2002
Delivered-To: freebsd-security@freebsd.org
Received: from apnic.net (cumin.apnic.net [202.12.29.59])
	by hub.freebsd.org (Postfix) with ESMTP id B326A37B403
	for <security@freebsd.org>; Tue, 25 Jun 2002 16:23:39 -0700 (PDT)
Received: from durian.apnic.net (durian.apnic.net [202.12.29.252])
	by apnic.net (8.12.1/8.12.1) with ESMTP id g5PNNXFi018989;
	Wed, 26 Jun 2002 09:23:34 +1000
Received: from durian.apnic.net (ggm@localhost)
	by durian.apnic.net (8.11.6/8.11.6) with ESMTP id g5PNNSg30410;
	Wed, 26 Jun 2002 09:23:32 +1000
To: security@freebsd.org
Cc: goatee@binary.net
Subject: Random address in asia != APNIC
From: ggm@apnic.net
Date: Wed, 26 Jun 2002 09:23:28 +1000
Message-ID: <30409.1025047408@durian.apnic.net>
X-Scanned-By: MIMEDefang 2.1 (www dot roaringpenguin dot com slash mimedefang)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


Blaine Kahle <goatee@binary.net> Said in security@freebsd.org:

> And I think it's being scanned for:
>
> Jun 25 16:10:06 aspire sshd[26012]: scanned from 203.74.9.16 with 
> SSH-1.0-SSH_Version_Mapper.  Don't panic.
> Jun 25 16:10:06 aspire sshd[26009]: Did not receive identification string 
> from 203.74.9.16
>
>203.74.9.16 is APNIC.

Please, if you work in a 'security' domain in FreeBSD, do not, ever attribute
random addresses to the Internet Registry that allocated them.

APNIC, RIPE, ARIN (and soon LACNIC and AFRNIC) are registries. They are
not the source, they provision the handing out of the addresses. 

They are not responsible for the packet source, or destination of arbitrary
flows in the internet. 

Indeed, whois contact information is often out of date, and the whois returns
the /8 network region which is the parent block, but that doesn't make the
packets 'ours' -It just means we're doing the best we can to tell you where
the addresses were obtained. Not where they are used, not where the sender
is.

If you run, configure, write code which intuits owners from whois, can you
not propagate this mistake please?

cheers

-George

George Michaelson       |  APNIC
Email: ggm@apnic.net    |  PO Box 2131 Milton QLD 4064
Phone: +61 7 3858 3100  |  Australia
  Fax: +61 7 3858 3199  |  http://www.apnic.net




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message