198.32.64.12 -- Harmless mis-route or potential exploit?

Paul Wall pauldotwall at gmail.com
Tue Sep 2 22:44:44 UTC 2008


Gadi,

Could you please take the self-promotion offline already?  Enough is
enough!  I don't think anybody on this list is interested in hiring
you or reviewing your resume!

(It could be argued that my post is off-topic as well.  I disagree.
Furthermore, it had to be done, given the lack of public face or
consistent enforcement action of the current MLC.)

Drive Slow,
Paul Wall
http://www.linkedin.com/in/paulwall

On Tue, Sep 2, 2008 at 6:28 PM, Gadi Evron <ge at linuxbox.org> wrote:
> My profile and resume: http://www.linkedin.com/in/gadievron
> On Tue, 2 Sep 2008, Dan Mahoney, System Admin wrote:
>
>> Hello all,
>>
>> While recently trying to debug a CEF issue, I found a good number of
>> packets in my "debug cef drops" output that were all directed at
>> 198.32.64.12 (which I see as being allocated to ep.net but completely
>> unused).
>>
>> Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
>> Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
>> Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
>> Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
>> Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
>> Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
>> Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
>> Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
>>
>> Now, as nearly as I can tell, this IP address has never been used for
>> anything, but I see occasional references to it, such as here:
>>
>> http://www.honeynet.org/papers/forensics/exploit.html
>>
>> So the question is, should I just ignore this as a properly dropped packet
>> due to "no route" (this provider is running defaultless, so unless such a
>> route exists, it should be okay).
>>
>> On the other hand, one of the other packets I'm seeing specifically refers
>> to a DNS exploit, so should I then dispatch to people to trace down the
>> source origin ?  (Suffice it to say the resources are there to find it
>> fairly easily, even if the source address is forged).
>
> It should be treated as an intelligence source, sharing that one openly is
> probably counter-productive.
>
> Regardless, very interesting. I think follow-up just for interest's sake may
> be worth it.
>
>
>> -Dan
>>
>> --
>>
>> --------Dan Mahoney--------
>> Techie,  Sysadmin,  WebGeek
>> Gushi on efnet/undernet IRC
>> ICQ: 13735144   AIM: LarpGM
>> Site:  http://www.gushi.org
>> ---------------------------
>>
>>
>
>




More information about the NANOG mailing list