|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: routing invalid IP addresses
On Sat, Feb 21, 2004 at 07:47:46AM -0500, Geo. wrote: > > We had an attack here last night and the attack traffic was coming from an > IP address of x.x.255.x which isn't a valid IP address yet the traffic was > being routed over the internet (as far as I can tell anyway). When I > attempted to track down the source I found our cisco routers wouldn't accept > the address as valid so it was not possible to null route or trace the > traffic. *GASP* Traffic with an invalid IP address being routed over the Internet? Dear god NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO! Please say it isn't so. Oh the humanity. Actually, it is a perfectly valid IP address. You just need to turn on ip subnet-zero. http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f18.shtml That means nothing however, as there is traffic with invalid source addresses routed over the Internet all the time. Routing has nothing to do with source IP, and everything to do with dest IP. If you want to filter it, use an acl. > Has anyone else ever seen this before? Clue me in? I don't think an ordinary clue stick will do... Hrm perhaps a stick of clue dynamite is in order. -- Richard A Steenbergen <[email protected]> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
|