| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 17 May 2013 15:19:28 -0400
From: Gary Baribault <gary@...ibault.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: My ISP is routing traffic to private
addresses...
I'm with a largish cable provider in Quebec, and they use the 10.x.x.x
network throughout theirs, but if you're trying to access a 172.30
device inside your private home or work network why is that traffic
escaping to your ISP? If you're trying to access 172.30.x.x devices over
the Internet, it's not supposed to work.
$ traceroute -n www.videotron.com
traceroute to www.videotron.com (24.201.243.21), 30 hops max, 60 byte
packets
1 192.168.0.2 0.137 ms 0.064 ms 0.071 ms
2 * * *
3 10.170.169.49 16.351 ms 17.245 ms 17.185 ms
4 10.170.162.214 12.740 ms 13.593 ms 13.539 ms
5 10.170.167.14 24.527 ms 25.335 ms 25.282 ms
6 10.170.177.165 18.039 ms 18.904 ms 18.833 ms
7 10.170.163.177 14.135 ms 9.233 ms 12.787 ms
8 10.170.163.182 13.678 ms 12.584 ms 11.337 ms
etc...
If I was using 10.x.x.x then I would route the traffic inside, I use
192.168.0.x at home, so 10 would leak to the net, but that's RFC'd not
to work.
Gary Baribault
On 05/17/2013 03:08 PM, kyle kemmerer wrote:
> So today when trying to access a device on my network (172.30.x.x
> range) I was taken to the web interface of a completely different
> device. This baffled me at first, but after a bit of poking around, I
> determined that my ISP was actually routing traffic to these
> addresses. See the trace below
>
>
> Tracing route to 172.30.4.18 over a maximum of 30 hops
>
> 1 11 ms 18 ms 19 ms XXXXXXXXX
> 2 30 ms 178 ms 212 ms vl4.aggr1.phdl.pa.rcn.net
> <http://vl4.aggr1.phdl.pa.rcn.net> [208.59.252.1]
> 3 13 ms 18 ms 13 ms tge0-1-0-0.core1.phdl.pa.rcn.net
> <http://tge0-1-0-0.core1.phdl.pa.rcn.net> [207.172.15.50]
>
> 4 37 ms 39 ms 57 ms tge0-0-0-2.core1.lnh.md.rcn.net
> <http://tge0-0-0-2.core1.lnh.md.rcn.net> [207.172.19.227]
>
> 5 35 ms 34 ms 32 ms tge0-1-0-1.core1.chgo.il.rcn.net
> <http://tge0-1-0-1.core1.chgo.il.rcn.net> [207.172.19.235
> ]
> 6 42 ms 38 ms 39 ms port-chan13.aggr2.chgo.il.rcn.net
> <http://port-chan13.aggr2.chgo.il.rcn.net> [207.172.15.20
> 1]
> 7 37 ms 39 ms 39 ms
> port-chan1.mart-ubr1.chi-mart.il.cable.rcn.net
> <http://port-chan1.mart-ubr1.chi-mart.il.cable.rcn.net> [
> 207.229.191.132]
> 8 57 ms 61 ms 53 ms 172.30.4.18
>
> Trace complete.
>
>
> So I break out nmap and do a quick scan, and find that there are
> thousands of these devices across this IP range. Has anybody ever
> seen anything like this? Surely this must be a mistake, right? If
> anybody else is using RCN as an ISP, can you access these addresses as
> well?
>
>
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists