Tzafrir Cohen wrote:
Yes... Telia ( http://www.telia.se ) uses the 10.0.0.x range for dns, mail and for the login-prodecure they make you do to get access to the Internet. It know its stupid, but they apparently dont.On Sun, 13 Jan 2002, Peter [ISO-8859-1] JצnssonJan 12 19:33:17 mars snort: Deep Throat/Invasor: 10.0.0.1:53 -> <my-ip>:3150Is 10.0.0.1 your ISP ?!
They could be spoofed, but that's kinda hard to determine since Telia uses 10.0.0.x for legit traffic. If it wasnt't for the fact that I knew that 10.0.0.1 was the dns-server I would have known that it was spoofed. Now I don't know if its the dns-server or someone spoofing. They use that server ( 10.0.0.1 ) for other things as well, I found that out when I portscanned them by mistake ( the firewall had 10.0.0.1 as its local address in /etc/hosts before so I thought I was scanning my machine, ooops ).Those appear like some spoofed packets.
Yeah, I had to make some holes in the firewall to be able to get dns,smtp,pop,bootp working since all of those uses addresses in the 10.0.0.x range. For some reason they also use 10.0.133.1 as router/gateway. When I do a traceroute thats the hop after my firewall.Packets from addresses 10.x.x.x , 172.16-32.x.x and 192.168.x.x should not come from the internet. Those address ranges are preserved for "private" networks. Your firewall should generally drop any such packet.
Note that if your local network actually contains such addresses (e.g.: your home network is a masqueraded one, and uses the range 192.168.0.x) then you should allow packets of that range from the internal interface.
// peter