198.32.64.12 -- Harmless mis-route or potential exploit?

Hello all,

While recently trying to debug a CEF issue, I found a good number of packets in my "debug cef drops" output that were all directed at 198.32.64.12 (which I see as being allocated to ep.net but completely unused).

Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route

Now, as nearly as I can tell, this IP address has never been used for anything, but I see occasional references to it, such as here:

http://www.honeynet.org/papers/forensics/exploit.html

So the question is, should I just ignore this as a properly dropped packet due to "no route" (this provider is running defaultless, so unless such a route exists, it should be okay).

On the other hand, one of the other packets I'm seeing specifically refers to a DNS exploit, so should I then dispatch to people to trace down the source origin ? (Suffice it to say the resources are there to find it fairly easily, even if the source address is forged).

-Dan

My profile and resume: Gadi Evron - Team8 | LinkedIn

Hello all,

While recently trying to debug a CEF issue, I found a good number of packets in my "debug cef drops" output that were all directed at 198.32.64.12 (which I see as being allocated to ep.net but completely unused).

Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route

Now, as nearly as I can tell, this IP address has never been used for anything, but I see occasional references to it, such as here:

http://www.honeynet.org/papers/forensics/exploit.html

So the question is, should I just ignore this as a properly dropped packet due to "no route" (this provider is running defaultless, so unless such a route exists, it should be okay).

On the other hand, one of the other packets I'm seeing specifically refers to a DNS exploit, so should I then dispatch to people to trace down the source origin ? (Suffice it to say the resources are there to find it fairly easily, even if the source address is forged).

It should be treated as an intelligence source, sharing that one openly is probably counter-productive.

Regardless, very interesting. I think follow-up just for interest's sake may be worth it.

Hello all,

While recently trying to debug a CEF issue, I found a good number of packets in my "debug cef drops" output that were all directed at 198.32.64.12 (which I see as being allocated to ep.net but completely unused).

Sep 2 22:03:25: CEF-Drop: Packet for 198.32.64.12 -- no route

Now, as nearly as I can tell, this IP address has never been used for anything, but I see occasional references to it, such as here:

Once upon a time, that used to be the IP address for the L Root server.

Steve

Gadi,

Could you please take the self-promotion offline already? Enough is
enough! I don't think anybody on this list is interested in hiring
you or reviewing your resume!

(It could be argued that my post is off-topic as well. I disagree.
Furthermore, it had to be done, given the lack of public face or
consistent enforcement action of the current MLC.)

Drive Slow,
Paul Wall
http://www.linkedin.com/in/paulwall

While recently trying to debug a CEF issue, I found a good number of packets in my "debug cef drops" output that were all directed at 198.32.64.12 (which I see as being allocated to ep.net but completely unused).

As Steve Conte pointed out, that is the address that used to be used for l.root-servers.net. l.root-servers.net was renumbered almost a year ago, with the announcement of the old address turned off about 6 months ago.

So the question is, should I just ignore this as a properly dropped packet due to "no route" (this provider is running defaultless, so unless such a route exists, it should be okay).

Packets being sent to 198.32.64.12 most likely come from DNS caching servers that haven't had their hints updated. In the ideal world, you could hunt down those machines and kick 'em in the head (that is, install a new hints file). That they're unrouted is definitely the way things should be.

Regards,
-drc

dan,

(to follow up on david conrad's response)...

>While recently trying to debug a CEF issue, I found a good number of
>packets in my "debug cef drops" output that were all directed at
>198.32.64.12 (which I see as being allocated to ep.net but
>completely unused).

As Steve Conte pointed out, that is the address that used to be used
for l.root-servers.net. l.root-servers.net was renumbered almost a
year ago, with the announcement of the old address turned off about 6
months ago.

there's some context on recent routing issues with this network
described at the renesys blog here:

http://www.renesys.com/blog/2008/06/securing_the_root_1.shtml

in short: the prefix containing this network was advertised by people
other than iana for a time after iana stopped advertising it.

checking our current data, that block is not currently routed by any
of our peers over the last month (i would assume ripe ris and
routeviews report similar data, but i did not check them.

t.

are you for real?

No, he is not.

Could you please take the self-promotion offline already? Enough is
enough! I don't think anybody on this list is interested in hiring
you or reviewing your resume!

(It could be argued that my post is off-topic as well. I disagree.
Furthermore, it had to be done, given the lack of public face or
consistent enforcement action of the current MLC.)

[...]

Paul Wall
http://www.linkedin.com/in/paulwall

My profile and resume: Gadi Evron - Team8 | LinkedIn

[SNIP]

Just so that I am clear on your issue here: You believe it is "okay" for you to put your linkedin URL in your .sig, but Gadi must not be allowed to put it at the top of a post? I ask because I had to go back and read what you were so upset over since I did not even notice the first line in his post. I bet many others did not as well.

Oh, and I think the fact it is L-Root's old IP address probably means no one will hire him to research it anyway.

Yep. Are you a geek? I am that, too.

Awkward, but easy to explain. I use PINE and I often have signatures added (which I barely ever actually use). PINE adds them at the footer of the message. Therefore I hit ctrl+K a few times and delete entire lines, then reply at the footer.

I missed one line, which is the last of my current .signature file.

My usual signature these days, as has been seen before on this list as well, is:

Yes, I think that's exactly right. It's a statement of what the sender
perceives to be important about the email. I read email for the
content; having the URL at the top is an assertion by the poster that
he thinks his resume is more important than what he says. (Yes, I know
some of you are about to hit reply to say "maybe it is from Gadi".
Don't bother -- what he says is often quite valuable.)

    --Steve Bellovin, http://www.cs.columbia.edu/~smb

it's also probably worth stating that parts of 198.32/16 are never
routed anywhere on the Internet (here comes bill to tell me 'who's
Internet?' .....). Some is in use on private networks, some is in use
at exchange points and not routed outside the immediate peers.

Most times, as I recall, epnet does a decent job of keeping the whois
data or rdns data updated though, for things in use. (though possibly
not for private uses)

-chris

I agree, which is why this fluke in not deleting the last line with ctrk+k as PINE appends signature lines at the top of the post by default--was awkward. Good thing I don't much get deterred by awkward.

Still, I bet this is going to be a huge thread yet again. No one appends any URL at the footer--not even me! But folks with no content to contribute would naturally jump at it like they would at even just a typo.

I suppose it is only natural when you become a celebrity of any sort--you draw all sorts of attention. At first my thick skin helped, nowadays I just find it amusing.

Folks flooded mailing lists spoofing my name (creating ASCII art of Beavis or a swastika) using the subject lines. They flooded yet again, with furry porn pictures attached. They launched fan blogs, created an Encyclopedia Dramatica entry...

I've had a comic strip made about me, a song written about me, a fake craigslist entry... all of course, serving as a boost to my ego--knowing "now I must have made it!"

There was a blackhat presentation which in part was about how someone faked a social network account being me, and how he almost got an informationweek interview as me out of it--I was on to him.

Most recently, someone created a comic-strip in ASCII about me (very funny, but R rated, so don't go if you find that type of thing offensive).
It's from the "now I know I've made it!" department:

http://fr.pastebin.ca/raw/1094119

To wrap this up, I don't often (at all) use signature lines, but I do have them and out of habit delete them with almost every new posting from the footer.

I had two VERY self-depricating (and very funny) quotes, before, which also were not often used, anyone remember?

1.
"beepbeep it, i leave work, stop reading sec lists and im still hearing gadi" - HD Moore to Gadi Evron on IM, on Gadi's interview on npr, March 2007.

2. *FART*
     -- Avi Freedman to Gadi Evron in a Chinese restaurant, Boston 2007.

To even things out, my new barely ever used footer signature, is:

well, actually.... this was the IP address used for l.root-servers.net
from 1998-2008. so i guess you could say its never been used for anything.

we are not currently routing that prefix and there should currently be nothing
at that IP address.

--bill

> checking our current data, that block is not currently routed by any
> of our peers over the last month (i would assume ripe ris and
> routeviews report similar data, but i did not check them.

it's also probably worth stating that parts of 198.32/16 are never
routed anywhere on the Internet (here comes bill to tell me 'who's
Internet?' .....). Some is in use on private networks, some is in use
at exchange points and not routed outside the immediate peers.

  grump... ok... "who's internet"?

Most times, as I recall, epnet does a decent job of keeping the whois
data or rdns data updated though, for things in use. (though possibly
not for private uses)

  rdns moreso that whois...

> checking our current data, that block is not currently routed by any
> of our peers over the last month (i would assume ripe ris and
> routeviews report similar data, but i did not check them.

it's also probably worth stating that parts of 198.32/16 are never
routed anywhere on the Internet (here comes bill to tell me 'who's
Internet?' .....). Some is in use on private networks, some is in use
at exchange points and not routed outside the immediate peers.

       grump... ok... "who's internet"?

there he is!!! (thanks for restoring my faith in... humanity)

Most times, as I recall, epnet does a decent job of keeping the whois
data or rdns data updated though, for things in use. (though possibly
not for private uses)

       rdns moreso that whois...

198.32.64.12 == AS-20144-has-not-REGISTERED-the-use-of-this-prefix.

for instance?

-chris

>>
>> > checking our current data, that block is not currently routed by any
>> > of our peers over the last month (i would assume ripe ris and
>> > routeviews report similar data, but i did not check them.
>>
>> it's also probably worth stating that parts of 198.32/16 are never
>> routed anywhere on the Internet (here comes bill to tell me 'who's
>> Internet?' .....). Some is in use on private networks, some is in use
>> at exchange points and not routed outside the immediate peers.
>
> grump... ok... "who's internet"?

there he is!!! (thanks for restoring my faith in... humanity)

  WHO'S THAT TRIP-TRAPPING ACROSS MY BRIDGE?
  (random thought of the day ... is there a real requirement to
  do routing at the level of granularity we seem to have fallen into?
  is there any reason to not do more bridging, creating larger broadcast
  domains? Such constructs are certainly more ammenable to device mobility,
  esp in the absence of workable mobil IP and the derth of EID/LOC splits...
  and there would be less route churn.... lots of good reasons)
  

>
>> Most times, as I recall, epnet does a decent job of keeping the whois
>> data or rdns data updated though, for things in use. (though possibly
>> not for private uses)
>
> rdns moreso that whois...

198.32.64.12 == AS-20144-has-not-REGISTERED-the-use-of-this-prefix.
for instance?

  well that has been there for some time - we need not remove the
  clay-cap off that nuclear waste dump - let sleeping dogs lie.

-chris

--bill