OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Odd snmp scans from 10.0.0.0/8 address ???
From: Ex Machina (xmGEEKMAFIA.DYNIP.COM)
Date: Thu Apr 27 2000 - 15:46:01 CDT

Interestingly enough, I've noticed that a LOT of large isps use 10.* for
routers/stuff within their network. It is one of the reasons that you'll
see random hops missing in traceroutes.

Ex Machina (xmgeekmafia.dynip.com) http://geekmafia.dynip.com/~xm/
phone: 1-877-LPT-WHIP icq: 3387005 aim: ExMachina
GnuPG Keyprint: 0627 C3A8 DE25 F7FB 46BD 4870 2006 CF7F EBDA 949D

On Thu, 27 Apr 2000, Wes Hardaker wrote:

> Date: Thu, 27 Apr 2000 07:55:28 -0700
> From: Wes Hardaker <wjhardakerUCDAVIS.EDU>
> To: INCIDENTSSECURITYFOCUS.COM
> Subject: Re: Odd snmp scans from 10.0.0.0/8 address ???
>
> >>>>> On Wed, 26 Apr 2000 17:06:50 +1200, Russell Fulton <r.fultonAUCKLAND.AC.NZ> said:
>
> Russell> A few days ago we saw a series of scans that varied the 3rd
> Russell> octect of the IP address (see argus logs below). These scans
> Russell> appeared to be part of a much wider scan perhaps all of 130/8
> Russell> as the scans repeated every couple of hours with a new final
> Russell> octet.
>
> But if they're coming from the 10.x.x.x block, then they are quite
> possibly coming from internally to your site since no one should be
> routing those packets through the net in the first place.
>
> It's probably someone at your site running network management software
> thats doing a map of the network.
>
> --
> Wes Hardaker
> Distributed Computing Analysis and Support
> University of California at Davis
>