North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

198.32.64.12 -- Harmless mis-route or potential exploit?

  • From: Dan Mahoney, System Admin
  • Date: Tue Sep 02 18:24:35 2008

Hello all,

While recently trying to debug a CEF issue, I found a good number of packets in my "debug cef drops" output that were all directed at 198.32.64.12 (which I see as being allocated to ep.net but completely unused).

Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route

Now, as nearly as I can tell, this IP address has never been used for anything, but I see occasional references to it, such as here:

http://www.honeynet.org/papers/forensics/exploit.html

So the question is, should I just ignore this as a properly dropped packet due to "no route" (this provider is running defaultless, so unless such a route exists, it should be okay).

On the other hand, one of the other packets I'm seeing specifically refers to a DNS exploit, so should I then dispatch to people to trace down the source origin ? (Suffice it to say the resources are there to find it fairly easily, even if the source address is forged).

-Dan

--

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------