|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical More on black-holed reserved/8 block.
As one person explained to me, often miscreants broadcast a bogus route so they can launch an attack from a 'reserved' space. What I was probably not clear enough in my original question was why the person at bungi.com was even TRYING to traceroute to a 98/ address. Was it something that showed up in a access log as an failed attempt, or? Is it the case that above.net is black-holing packets with a *destination* in the RBL, but *not* filtering packets with a *source* address from the RBL? If so, this would still allow RPC-based attacks (and TCP as well, if the victim's box had bad sequence number prediction). What are other sites that use the RBL BGP feed doing in this case? (And yes, I understand that many routers can route to a blackhole destination a lot faster than they can apply an ACL on the source). -- Valdis Kletnieks Operating Systems Analyst Virginia Tech traceroute to 98.100.32.32 (98.100.32.32): 1-30 hops, 38 byte packets 1 main.bungi.com (207.126.97.9) 2.15 ms 1.73 ms 1.86 ms 2 above-gw2.above.net (207.126.96.217) 4.41 ms 4.88 ms 3.67 ms 3 core5-main2-oc3.sjc.above.net (216.200.0.205) 3.62 ms 4.56 ms 7.53 ms 4 core3-core5-oc48.sjc2.above.net (208.184.102.206) 6.34 ms 5.7 ms 5.3 ms 5 iad-sjc2-oc48.iad.above.net (216.200.127.25) 73.0 ms 79.7 ms 72.6 ms 6 hat.address.is.on.the.rbl.see.www.mail-abuse.org.for.more.information.above.net Attachment:
pgp00047.pgp
|