Re: 198.32.64.12 -- Harmless mis-route or potential exploit?

* Gadi Evron · * Tue Sep 02 18:28:46 2008

My profile and resume: http://www.linkedin.com/in/gadievron
On Tue, 2 Sep 2008, Dan Mahoney, System Admin wrote:
Hello all,
While recently trying to debug a CEF issue, I found a good number of packets
in my "debug cef drops" output that were all directed at 198.32.64.12 (which
I see as being allocated to ep.net but completely unused).
Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
Sep  2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route
Now, as nearly as I can tell, this IP address has never been used for
anything, but I see occasional references to it, such as here:
http://www.honeynet.org/papers/forensics/exploit.html
So the question is, should I just ignore this as a properly dropped packet
due to "no route" (this provider is running defaultless, so unless such a
route exists, it should be okay).
On the other hand, one of the other packets I'm seeing specifically refers to
a DNS exploit, so should I then dispatch to people to trace down the source
origin ? (Suffice it to say the resources are there to find it fairly
easily, even if the source address is forged).

It should be treated as an intelligence source, sharing that one openly is
probably counter-productive.
Regardless, very interesting. I think follow-up just for interest's sake
may be worth it.
-Dan
--
--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------