A customer is getting scanned by a host claiming to be "172.0.1.216".
I know this is bogus, but I want to go back to the customer with as
much authoritative umph as I can (heaven forbid they just take my
word).
I'm pretty sure I read somewhere once that 172/12 was "reserved" or
something like that. All I can find now is that 172/8 is "administered by
ARIN". Lots of information on 172.16/12, but not a peep about
172/12.
If anybody could provide some insight as to the
allocation/non-allocation of this block, it would be much appreciated.
Likely a machine on his local network (i.e. behind the same NAT box) is hitting him.
But that is not guaranteed. A packet with a source address of 172.0.x.x could be hitting his machine. Depends on how well you filter. Many networks only look at destination IP address, source can be anything - spoofed, un-NAT'ed, etc. He just wouldn't be able to send anything back to it (unless it was on the local LAN, as I mention above).
Thanks for the replies so far, but not what I was looking for.
I should have specified that I've done several ns & dig lookups just to
make sure.
We were supposed to have lit up the last of IPv4 last year. I would have
presumed that meant that there was nothing left. Since I can't find a
reference to 172/12 anywhere, one might be led to presume that it was
allocated somehow, to someone (perhaps inadvertently not recorded) since
there are - supposedly - no fresh IPv4 addresses left to allocate, and the
only reference to this block is that 172/8 is allocated to ARIN. It
doesn't even appear in RFC 5735.
We all know about 172.16/12 - nothing left of that horse but glue.
My question is about 172/12. Where is it, what is it's supposed purpose.
I'm almost sure it's an internal box. I just find it better to give a
professional answer to "why can't I use this" than just "you can't use
this and why is this address scanning you for udp/137 anyway".
If someone can point out to me what was done with 172/12 I'd appreciate it.
Patrick opined:
Read RFC1918.
I didn't remember seeing anything about 172/12 in RFC1918. Looked at it
again. Is there something about 172/12 I missed? Thanks.
That ARIN is handling it. As their whois does not have anything for it, and BGP does not have it it obviously is unused as of yet and somebody is just spoofing. Solution: implement BCP38 in your network.
Note that IANA has run out of v4, the RIRs themselves have quite a bit left, obviously, ARIN still has big chunks of 172/8.
I'm almost sure it's an internal box.
Then apply BCP38 and figure out where it lives.
I just find it better to give a
professional answer to "why can't I use this" than just "you can't use
this and why is this address scanning you for udp/137 anyway"
It is not their address space, as such they are not supposed to use it. What is so difficult about that answer?!
We were supposed to have lit up the last of IPv4 last year. I would have
presumed that meant that there was nothing left. Since I can't find a
Not a good assumption. There remains IPv4 address space that has not yet
been assigned to any network, but is available for assignment. 172/12
appears to likely fall into that category.
there are - supposedly - no fresh IPv4 addresses left to allocate, and the
only reference to this block is that 172/8 is allocated to ARIN. It
doesn't even appear in RFC 5735.
Just because ARIN does not appear to have allocated networks from 172/12
yet does not mean this address space is unavailable, not part of the free
pool, or will not be allocated from by ARIN in the future. Just a /12 is
a very small shard of IP address space.
This is also part of a legacy /8.
My question is about 172/12. Where is it, what is it's supposed purpose.
This falls under IP addresses that can be assigned to networks but have not
yet been recorded as assigned to any networks.
I'm almost sure it's an internal box. I just find it better to give a
professional answer to "why can't I use this" than just "you can't use
Only the RFC1918 IP address space is reserved for use by private networks.
172/12 is not reserved by RFC, therefore portions of it that are
unallocated could
be allocated at any time.
this and why is this address scanning you for udp/137 anyway".
Something is generating packets sourced with an IP address in that range
which should not be using that source IP address.
It could be a device misconfiguration, or it could be intentional IP
address spoofing.
From nanog-bounces+bonomi=mail.r-bonomi.com@nanog.org Sun Jan 15 02:02:00 2012
Subject: Re: Whois 172/12
From: "Patrick W. Gilmore" <patrick@ianai.net>
Date: Sun, 15 Jan 2012 02:58:11 -0500
To: NANOG list <nanog@nanog.org>
Read RFC1918.
Likely a machine on his local network (i.e. behind the same NAT box) is hitting him.
Patrick,
I'v read RFC-1918. I cannot find *any* reference to 172.0/12, as the OP
was asking about. 172.16/12, yes. but not 172.0/12. Can you please clarify
your advice?
so as a stylistic point, 172/12 is supposed to equal 172.0.0.0/12?
if memory serves, back in the day, there were records of allocations in this space,
pre-ARIN. When RFC 1918 was settled on, there were some folks blocking 172.0.0.0/8
so there was talk of relocating those folks into other space.
so as a stylistic point, 172/12 is supposed to equal 172.0.0.0/12?
Yeah...it's pretty common to drop the zeros when talkind CIDR.
if memory serves, back in the day, there were records of allocations in this space,
pre-ARIN. When RFC 1918 was settled on, there were some folks blocking 172.0.0.0/8
so there was talk of relocating those folks into other space.
AOL has and uses (publicly) a bunch of space in 172/8. In fact, looking at a BGP table, I'd say they're by far the largest user (one of the only) in that /8.
For the OP...that scan traffic coming from 172.0.1.216 could be locally generated, or could be coming from the internet, either from someone announcing it briefly, or from a leaky NAT (just because it's not rfc1918 space doesn't mean someone didn't pick it out of their nether regions as the "private network" for some NAT'd network).
There are resources where you can check to see if 172.0.1/24 or larger networks have been announced recently (left as an exercise for the reader). If it hasn't, then the "scans" probably aren't being very effective since there can be no reply.
Thanks for the replies so far, but not what I was looking for.
I should have specified that I've done several ns & dig lookups just to
make sure.
We were supposed to have lit up the last of IPv4 last year. I would have
presumed that meant that there was nothing left. Since I can't find a
reference to 172/12 anywhere, one might be led to presume that it was
allocated somehow, to someone (perhaps inadvertently not recorded) since
there are - supposedly - no fresh IPv4 addresses left to allocate, and the
only reference to this block is that 172/8 is allocated to ARIN. It
doesn't even appear in RFC 5735.
While IANA allocated the last of the free IPv4 address pool to the 5 recognized RIRs on 3 Feb 2011, that doesn't mean that all of those IPv4 addresses were immediately assigned to providers or end-users. The RIRs will exhaust their supplies of assignable IPv4 address space at different times, depend on their 'end game' assignment strategies and their overall consumption rate. APNIC exhausted most of their available address space by last April.
172/8 was a legacy block, from which 172.16/12 was allocated for RFC 1918. Looking at IANA IPv4 Address Space Registry shows many of the legacy allocations being administered by ARIN, but also a few being administered by RIPE and APNIC. There is a difference between an RIR being tasked with administering a chunk of legacy space and being officially allocated a chunk of space by IANA. In the case of 172/8, it was allocated in the InterNIC days, so users could be scattered all over the world, but ARIN handles in-addr.arpa delegation for it. Since ARIN was not (as far as I know) formally tasked with allocating remaining space from 172/8, that space it will not be assigned to SPs or users by ARIN.
My question is about 172/12. Where is it, what is it's supposed purpose.
I'm almost sure it's an internal box. I just find it better to give a
professional answer to "why can't I use this" than just "you can't use
this and why is this address scanning you for udp/137 anyway".
As others have pointed out, if 172.0.0.0/12 or some subset of it doesn't exist in the global routing table, then the packets you saw are either coming from outside of your network - spoofed - or coming from somewhere inside your network.
If someone can point out to me what was done with 172/12 I'd appreciate it.
I'm not aware of anything more detailed that what I've noted above or what other posted have contributed to this thread.
We, AOL, have 172.128/10, 172.192/12, 172.208/13, 172.216/16. These blocks
represent our dial-up ISP customers that can't seem to get broadband or for
whatever reason, stay on dial-up. Also pretty amazingly is how high the
simultaneous user count has stayed, guess the folks that left weren't the
ones on in the evenings between 7-10pm ET. We (mostly me) are looking into
solutions to be able to remove the reliance on this space. Unfortunately,
most of the developers, who created the various servers/applications that
dole out these addresses, all left in the late 90's with some pretty fat
wallets; at this point... it's an archeology dig.
As port 137 is the Netbios Name Service port are you *sure* this is a port scan and not a windows box (or other OS running NetBIOS crud) that simply has fat-fingered addresses configured?
Jesus. 172.16/12 fine .. that's rfc1918. The rest of 172/8 is mostly
unallocated.
And for almost all of it, there is Team Cymru:
show ip route 172.0.0.0
Routing entry for 172.0.0.0/9, supernet
Known via "bgp", distance 20, metric 0
Tag 65332, type external
Last update from 192.0.2.1 3w1d ago
Routing Descriptor Blocks:
* 192.0.2.1, from 38.229.66.20, 3w1d ago
Route metric is 0, traffic share count is 1
AS Hops 1
Route tag 65332
MPLS label: none
