North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: General question on rfc1918

  • From: Darden, Patrick S.
  • Date: Tue Nov 13 10:23:24 2007

They do.  What you are seeing are probably forged packets.  Nmap etc. all let you forge SIP, in fact they automate it.  One Nmap mode actually actively obfuscates network scans by doing random SIPs--e.g. 10,000 random SIPs and one real one--this makes it hard to figure out who is actually scanning your networks.

Of course, if you don't filter incoming traffic on your inner interfaces, then the traffic could be from your own network.  A lot of people filter  only on their external ints:

	outgoing traffic limited to [mynetwork1, mynetwork2, mynetwork3]
	incoming traffic limited to [public IP addresses]

Make sense?

--Patrick Darden
--Internetworking Manager
--ARMC


-----Original Message-----
From: [email protected] [mailto:[email protected]]On Behalf Of
Drew Weaver
Sent: Tuesday, November 13, 2007 10:09 AM
To: [email protected]
Subject: General question on rfc1918



        Hi there, I just had a real quick question. I hope this is found to be on topic.

Is it to be expected to see rfc1918 src'd packets coming from transit carriers?

We have filters in place on our edge (obviously) but should we be seeing traffic from 192.168.0.0 and 10.0.0.0 et cetera hitting our transit interfaces?

I guess I'm not sure why large carrier networks wouldn't simply filter this in their core?

Thanks,
-Drew