?

Log in

No account? Create an account
So last night, the note about Rubi-con from my company put me in the… - The Veritable TechNinja [entries|archive|friends|userinfo]
The Veritable TechNinja

[ website | ~/public_html ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

[Mar. 28th, 2003|08:55 am]
The Veritable TechNinja
[status |groggygroggy]

So last night, the note about Rubi-con from my company put me in the mood to review my network security. All seemed well, found some ancient script kiddie attacks from Russia to port 8000 (WTH? You think I'm stupid enough to open a web-based configuration system on the public 'net?), mailed the log entries to their appropriate abuse@. Then I noticed something a little odd. My DHCP leases were coming from a class B private IP. It's possible, but I'm not sure why a huge-ass ISP with a 1.7 million node netblock would run their DHCP services in some kind of intermediary network. I knew for a fact that last time I checked, they were coming from a normal Comcast public IP. I hit Comcast's site, looks like they're outsourcing their tech support now. Their "preferred method of support" is live java chat with a buttload of system scanning tools. Okay, I consider anything that can tell me what GID the login I'm using is in as hostile, but I block it and move on. The first person I speak to seems to be your average phone-fodder, well scripted but poorly skilled. Considering "why are my DHCP leases coming from a 172.60 address?" is a little over the head of your average 1st level, I ask for 2nd level. That person was an absolute joke. Seriously, this person tried to tell me that their DHCP server is issued _it's_ IP from another DHCP server. Other fun quotes included "the words 'router' and 'server' are interchangable, they mean the same thing", and "the binary address 172.40.[something]..." Uh, buddy? If you expressed an IP address in binary, you'd be typing for a while. Then the jizznozzle has the chutzpah to tell me I should get my MCSE. I told him I didn't need it, and clued him in on what I do for a living. He hung up on me. So I dig around for their voice support number, call it. A nice girl clues me in, in plain English, that since Comcast bought ATandT's cablemodem division, they're using their DHCP services for a while, and ATandT runs a private-class network backwards of the proxy for their internal-only services like DHCP and such. Why my DHCP lease is giving me a public-class IP, public-class DNS servers, but comes from a private-class IP itself (which, BTW, is unpingable, and when I attempt to do so I get a dest net unreachable from some class A private IP. Something is really not sounding right about that, but if the tech department readily recognizes the address and external tracerts aren't making any suspicious hops, I'm happy for now.
linkReply

Comments:
[User Picture]From: angelopercieval
2003-03-28 08:46 am (UTC)
Holy shit... you lost me at "So last night..."

Angelo (ignorant)
(Reply) (Thread)
[User Picture]From: arcsine
2003-03-28 09:20 am (UTC)
D00d, you're not ig'nant... You've got more schooling than I'll probably ever have.

Anyway, the gist of the post is that a smalltime hacker conference is in Dearborn this weekend, and the lack of security here prompted me to take a look at the security I have for my home network. Everything was normal except for one thing. The server that gives me an IP to use was different than it was before. The first tech I spoke to about it was a knob-gobbler who tried pass some randomly strewn together technical terms off as a reason why. I called the voice support on the phone, they clued me in.
(Reply) (Parent) (Thread)
[User Picture]From: recovry
2003-03-28 04:34 pm (UTC)
Geez, binary address? I'm frightened to think what would happen if you asked him to read back that address to you in ASCII code.


101100101101010......
(Reply) (Thread)
[User Picture]From: itszer0
2003-03-31 08:32 am (UTC)
if you dont work for the hotel, 172.40 was the ip space of the hotels public wireless (before it was pulled on thurs)
they used 172...

172.40.100.x for DHCP lease
172.0.0.1 for internal stuff (default gw)
and 192.168.0.0 for private stuff (not broadcasted)

(Reply) (Thread)
[User Picture]From: arcsine
2003-03-31 11:43 am (UTC)
No, this was my cablemodem at home. The lease used to come from 68.something, lately it had been coming from 172.40.something. Any idea why ATandT would give their DHCP server a private-class IP?
(Reply) (Parent) (Thread)
[User Picture]From: itszer0
2003-03-31 12:40 pm (UTC)
Comcast does the same thing, its because there DHCP server isint public
(Reply) (Parent) (Thread)
[User Picture]From: arcsine
2003-03-31 12:45 pm (UTC)
They used to use a public IP until they bought the ATandT network. Still, why have a DHCP server on an entirely separate network than the machines it's giving IPs?
(Reply) (Parent) (Thread)
[User Picture]From: itszer0
2003-04-01 02:31 am (UTC)
i could *swear* they used private for there DHCP server, but i dont care.

why have it public?

you done much research about the CNR and CMTS and the registration process? or DOCSIS standards? they all use private ips, and the same server the cable modem gets its ip from (iirc) is the same one your DHCP Client does.
(Reply) (Parent) (Thread)
[User Picture]From: arcsine
2003-03-31 05:52 pm (UTC)
While we're on the subject, what the hell do you think could be causing this kind of latency?
2 <10ms <10 ms <10 ms {IP of my workstation}
2 10 ms 21 ms 10 ms 10.59.152.1
3 10 ms 30 ms 11 ms 172.30.158.209
4 10 ms 10 ms 30 ms 172.30.158.238
5 20 ms 10 ms 20 ms 172.30.154.186
6 10 ms 10 ms 10 ms 172.30.158.115
7 10 ms 10 ms 50 ms 68.42.244.182
8 10 ms 10 ms 20 ms 12.119.243.37
9 10 ms 20 ms 10 ms gbr2-p30.dtrmi.ip.att.net [12.123.139.34]
10 * * * Request timed out.
11 20 ms 20 ms 10 ms ggr2-p390.cgcil.ip.att.net [12.123.6.37]
12 40 ms 20 ms 20 ms so-1-1-0.edge1.Chicago1.Level3.net [209.0.227.77]
13 20 ms 20 ms 20 ms so-7-0-0.mp1.Chicago1.Level3.net [209.244.8.9]
14 60 ms 70 ms 80 ms so-3-0-0.mp1.SanJose1.Level3.net [64.159.1.129]
15 60 ms 61 ms 70 ms gige9-1.ipcolo3.SanJose1.Level3.net [64.159.2.73]
16 60 ms 70 ms 100 ms unknown.Level3.net [64.152.69.30]
17 60 ms 80 ms 60 ms w1.rc.vip.scd.yahoo.com [66.218.71.198]

Trace complete.
(Reply) (Parent) (Thread)
[User Picture]From: itszer0
2003-04-01 02:33 am (UTC)
im more lagged then you...

1 30.254.121.1 (30.254.121.1) 2.687 ms 2.617 ms 2.602 ms
2 10.68.152.1 (10.68.152.1) 41.759 ms 10.806 ms 47.236 ms
3 172.30.171.17 (172.30.171.17) 29.646 ms 12.957 ms 84.028 ms
4 172.30.171.58 (172.30.171.58) 30.975 ms 28.735 ms 52.952 ms
5 68.60.32.250 (68.60.32.250) 11.333 ms 11.696 ms 14.418 ms
6 sl-gw38-chi-8-0.sprintlink.net (160.81.246.205) 19.342 ms 18.518 ms 22.176 ms
7 sl-bb20-chi-4-0.sprintlink.net (144.232.26.129) 35.541 ms 16.952 ms 18.581 ms
8 sl-st20-chi-14-0.sprintlink.net (144.232.20.76) 21.233 ms 18.699 ms 88.816 ms
9 pos1-5.core2.Chicago1.Level3.net (209.0.225.21) 79.671 ms 99.704 ms 95.498 ms
10 so-7-0-0.mp1.Chicago1.Level3.net (209.244.8.9) 37.543 ms 21.203 ms 78.579 ms
11 so-3-0-0.mp1.SanJose1.Level3.net (64.159.1.129) 79.752 ms 99.592 ms 160.138 ms
12 gige9-2.ipcolo3.SanJose1.Level3.net (64.159.2.137) 71.086 ms 157.500 ms 71.988 ms
13 unknown.Level3.net (64.152.69.30) 74.408 ms 91.809 ms 84.260 ms
14 alteon3.68.scd.yahoo.com (66.218.68.12) 114.478 ms 112.108 ms 73.817 ms
(Reply) (Parent) (Thread)