NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Strange Log Entry



Title: RE: [FW1] Strange Log Entry
I don't know if I would agree with that.
 
Lot's of ISP's use RFC1918 addressing AND DNS entries for the management of
broadband/adsl networks. Usually the ADSL/Cablemodem will obtain an RFC1918
address during it's bootp process. This is used by network engineers for SNMP and
other diagnostic tools. It's kind of handy to have DNS entries for those.
 
Sometimes the provider does not do a good job and allows those RFC1918 addresses
to traverse the bridge so you might see them leaking across occassionally.
 
============
 
How secure do you think your traffic is once it leaves your cable/dsl modem?
(short answer, not at all unless it's encrypted and don't believe the MYTHS the
ADSL providers will tell you...)
 
In the case of DOCSIS, it can be much more secure because a private session key
is established between the headend router and your modem, however a LOT of these
so called broadband modems are still not encrypting data via baseline privacy.
 
I have seen successfull hack attempts where a hacker coerced his modem into
allowing him to run a DHCP server. He setup a scope that was at the top end of his
subnet and passed out TWO gateway addresses. The first being his modem, and
the 2nd the normal gateway for the subnet. He then setup a sniffer and had access
to ALL traffic traversing his node. If his modem became too congested, they would
still have the normal gateway so this went undetected for some time....
 
What if your users are using some of those spyware programs that track what URL's
they are visiting? What if they access an "INTRAnet" site and pass along authentication
information in the URL? Surely the spyware data miners now have it, and if somebody
has tricked you into using the wrong gateway on your node...they probably have it too...
----- Original Message -----
Sent: Friday, January 05, 2001 5:04 PM
Subject: RE: [FW1] Strange Log Entry

I questioned my ISP about the address and here's what they said:

        Michelle,

        We have a reverse entry for some of our non-routable IP's entered into our DNS
        server. This is just handy for us internally. So your source is 172.16.1.130.

I guess that explains it.
-----Original Message-----
From: Steven Lee [mailto:[email protected]]
Sent: Thursday, January 04, 2001 4:10 PM
To: [email protected]
Subject: Re: [FW1] Strange Log Entry


First, turn off address resolution... you'll see that t130.uia.net is
actually 172.16.1.130 ( a private RFC1918 address). Are you
using 172.16 as an internal address?

Second, you should tell your ISP that they shouldn't be populating
their DNS with A records (and PTR records) for RFC1918 addresses.

Steve

[email protected] wrote:

>
>
> I'm looking through my FW1 log because our T1 is up and running, but we can't
> seem to get to the Internet, except email. I'm seeing entries in the log such
> as:
>
>         Source          Destination
>         t130.uia.net    msnbc.com
>
> The source is not from our network and the destination is not to our network,
> so why the heck would that source be coming to us to get to msnbc?  BTW,
> uia.net is our ISP.
>
> Any ideas?
>
> Thanks, Michelle
> _____________________
> Michelle Johnston, MCSE4, CNE5
> Network Manager, NHRA
> [email protected]

--
Steven Lee, CISSP                 
Senior Network Security Engineer  FAX
AVCOM Technologies, Inc.          Pager
4636 E Marginal Way S, Ste B-100   http://www.avcom.com
Seattle, WA 98134-2383             mailto:[email protected]



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.