North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: More on black-holed reserved/8 block.

  • From: Henry R. Linneweh
  • Date: Fri Jul 21 02:21:37 2000 
It showed up in a UDP probe on an Aussie connection, so I tracerouted it
for the my associate, now I have a better understanding as to what is going
on.

[email protected] wrote:

> As one person explained to me, often miscreants broadcast a bogus route
> so they can launch an attack from a 'reserved' space.
>
> What I was probably not clear enough in my original question was why the
> person at bungi.com was even TRYING to traceroute to a 98/ address.  Was
> it something that showed up in a access log as an failed attempt, or?
>
> Is it the case that above.net is black-holing packets with a *destination*
> in the RBL, but *not* filtering packets with a *source* address from
> the RBL?  If so, this would still allow RPC-based attacks (and TCP as well,
> if the victim's box had bad sequence number prediction).
>
> What are other sites that use the RBL BGP feed doing in this case?
>
> (And yes, I understand that many routers can route to a blackhole destination
> a lot faster than they can apply an ACL on the source).
>
> --
>                                 Valdis Kletnieks
>                                 Operating Systems Analyst
>                                 Virginia Tech
>
> traceroute to 98.100.32.32 (98.100.32.32): 1-30 hops, 38 byte packets
>  1  main.bungi.com (207.126.97.9)  2.15 ms  1.73 ms  1.86 ms
>  2  above-gw2.above.net (207.126.96.217)  4.41 ms  4.88 ms  3.67 ms
>  3  core5-main2-oc3.sjc.above.net (216.200.0.205)  3.62 ms  4.56 ms
> 7.53 ms
>  4  core3-core5-oc48.sjc2.above.net (208.184.102.206)  6.34 ms  5.7 ms
> 5.3 ms
>  5  iad-sjc2-oc48.iad.above.net (216.200.127.25)  73.0 ms  79.7 ms  72.6
> ms
>  6
> hat.address.is.on.the.rbl.see.www.mail-abuse.org.for.more.information.above.net
>
>   ------------------------------------------------------------------------
>    Part 1.2Type: application/pgp-signature

--

Thank you;
|--------------------------------|
| Thinking is a learned process. |
| ICANN member @large            |
| Gigabit over IP, ieee 802.17   |
|--------------------------------|
Henry R. Linneweh