198.32.64.12 -- Harmless mis-route or potential exploit?

Tue Sep 2 22:28:36 UTC 2008

My profile and resume: http://www.linkedin.com/in/gadievron
On Tue, 2 Sep 2008, Dan Mahoney, System Admin wrote:

> Hello all,
>
> While recently trying to debug a CEF issue, I found a good number of packets 
> in my "debug cef drops" output that were all directed at 198.32.64.12 (which 
> I see as being allocated to ep.net but completely unused).
>
> Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
> Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
> Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
> Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
> Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
> Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
> Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
> Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
>
> Now, as nearly as I can tell, this IP address has never been used for 
> anything, but I see occasional references to it, such as here:
>
> http://www.honeynet.org/papers/forensics/exploit.html
>
> So the question is, should I just ignore this as a properly dropped packet 
> due to "no route" (this provider is running defaultless, so unless such a 
> route exists, it should be okay).
>
> On the other hand, one of the other packets I'm seeing specifically refers to 
> a DNS exploit, so should I then dispatch to people to trace down the source 
> origin ?  (Suffice it to say the resources are there to find it fairly 
> easily, even if the source address is forged).

It should be treated as an intelligence source, sharing that one openly is 
probably counter-productive.

Regardless, very interesting. I think follow-up just for interest's sake 
may be worth it.

> -Dan
>
> -- 
>
> --------Dan Mahoney--------
> Techie,  Sysadmin,  WebGeek
> Gushi on efnet/undernet IRC
> ICQ: 13735144   AIM: LarpGM
> Site:  http://www.gushi.org
> ---------------------------
>
>