198.32.64.12 -- Harmless mis-route or potential exploit?

Dan Mahoney, System Admin danm at prime.gushi.org
Tue Sep 2 17:24:21 CDT 2008


Hello all,

While recently trying to debug a CEF issue, I found a good number of 
packets in my "debug cef drops" output that were all directed at 
198.32.64.12 (which I see as being allocated to ep.net but completely 
unused).

Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route

Now, as nearly as I can tell, this IP address has never been used for 
anything, but I see occasional references to it, such as here:

http://www.honeynet.org/papers/forensics/exploit.html

So the question is, should I just ignore this as a properly dropped packet 
due to "no route" (this provider is running defaultless, so unless such a 
route exists, it should be okay).

On the other hand, one of the other packets I'm seeing specifically refers 
to a DNS exploit, so should I then dispatch to people to trace down the 
source origin ?  (Suffice it to say the resources are there to find it 
fairly easily, even if the source address is forged).

-Dan

-- 

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------





More information about the NANOG mailing list