routing invalid IP addresses

• Previous message (by thread): routing invalid IP addresses
• Next message (by thread): routing invalid IP addresses
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Feb 21, 2004 at 07:47:46AM -0500, Geo. wrote:
> 
> We had an attack here last night and the attack traffic was coming from an
> IP address of x.x.255.x which isn't a valid IP address yet the traffic was
> being routed over the internet (as far as I can tell anyway). When I
> attempted to track down the source I found our cisco routers wouldn't accept
> the address as valid so it was not possible to null route or trace the
> traffic.

*GASP* Traffic with an invalid IP address being routed over the Internet? 
Dear god NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO! Please 
say it isn't so. Oh the humanity.

Actually, it is a perfectly valid IP address. You just need to turn on ip 
subnet-zero.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f18.shtml

That means nothing however, as there is traffic with invalid source
addresses routed over the Internet all the time. Routing has nothing to do
with source IP, and everything to do with dest IP. If you want to filter
it, use an acl.

> Has anyone else ever seen this before? Clue me in?

I don't think an ordinary clue stick will do... Hrm perhaps a stick of 
clue dynamite is in order.

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

• Previous message (by thread): routing invalid IP addresses
• Next message (by thread): routing invalid IP addresses
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]