[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] IP spoof? Where do I go now?

Subject: [cobalt-users] IP spoof? Where do I go now?
From: "Dan" <daniel@xxxxxxxxxxxxxxxxxxxxxxxx>
Date: Sun Mar 18 07:27:01 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

For the past two weeks someone using IP Address 192.168.0.1 has been
portscanning me on various ports.  I went to the Arin website and punched in
the IP and got this:

IANA (IANA-CBLK-RESERVED)
   Internet Assigned Numbers Authority
   Information Sciences Institute
   University of Southern California
   4676 Admiralty Way, Suite 330
   Marina del Rey, CA 90292-6695
   US

   Netname: IANA-CBLK1
   Netblock: 192.168.0.0 - 192.168.255.255

   Coordinator:
      Internet Corporation for Assigned Names and Numbers  (IANA-ARIN)
iana@xxxxxxxx
      (310) 823-9358

I emailed IANA with a modified version of the "standard response email"
that's been floating around on this list and got this back from them:
The following address blocks are reserved for private use
and should never appear in the public Internet:

 192.168.0.0-192.168.255.255
 172.16.0.0-172.31.255.255
 10.0.0.0-10.255.255.255

The IANA has no idea who the users of these address blocks are.
The point of private address space is to allow many organizations
in different places to use the same addresses for their disconnected
or self contained islands of IP talking computers (private intranets).
Anyone may use these address blocks without any prior notification
to IANA.

This is documented in RFC 1918.
To locate RFC's you can go to <ftp://ftp.isi.edu/in-notes/rfc1918.txt>.

These are public numbers for anybody to use PRIVATELY for personal
network or company intranet.  They are not connected to any server of
ours.  We are not an ISP and do not have any users.

We allocate IP blocks to regional registry like ARIN, they then delegate
them to ISP, and ISP assign them out to end users.  If the addresses are
not assigned to any entity, it will be listed as reserved under IANA.

Since these are public numbers and are not assigned, we have no idea who
the users are.  If and when it shows up on the public internet, they are
most
likely being forged.  Please contact your upstream ISP for further
assistance
and also check your configuration for your private intranet or network.

Best Regards,
IANA

Now what do I do - the IP is being blocked by Portsentry & IPchains but I
notice I got this from my logcheck just now:

Mar 18 14:29:27 kernel: Packet log: input DENY eth0 PROTO=17 192.168.0.1:67
255.255.255.255:68 L=328 S=0x00 I=21004 F=0x0000 T=128 (#1)

What does this mean? Also what can I do about 192.168.0.1 now? I put the
same IP address in internic's WHOIS search and got the following:

Server Name: DEATH.FARAWAY.CX
   IP Address: 192.168.0.1
   Registrar: CORE INTERNET COUNCIL OF REGISTRARS
   Whois Server: whois.corenic.net
   Referral URL: www.corenic.net

What am I to do with this information - does it help me at all?

Many thanks for any light anyone can shed on this!

Dan

Follow-Ups:
- Re: [cobalt-users] IP spoof? Where do I go now?
  - From: Jens Kristian Søgaard
- Re: [cobalt-users] IP spoof? Where do I go now?
  - From: Jonathan Michaelson
- Re: [cobalt-users] IP spoof? Where do I go now?
  - From: flash22
- Re: [cobalt-users] IP spoof? Where do I go now?
  - From: SM

Prev by Date: [cobalt-users] RE: "My hard Drive needs to lose some weight" - Raq4R
Next by Date: Re: [cobalt-users] IP spoof? Where do I go now?
Previous by thread: [cobalt-users] RE: "My hard Drive needs to lose some weight" - Raq4R
Next by thread: Re: [cobalt-users] IP spoof? Where do I go now?

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index