[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Whois 172/12

Read RFC1918.

Likely a machine on his local network (i.e. behind the same NAT box) is hitting him.

But that is not guaranteed.  A packet with a source address of 172.0.x.x could be hitting his machine.  Depends on how well you filter.  Many networks only look at destination IP address, source can be anything - spoofed, un-NAT'ed, etc.  He just wouldn't be able to send anything back to it (unless it was on the local LAN, as I mention above).

-- 
TTFN,
patrick


On Jan 15, 2012, at 2:53 AM, Alex Ryu wrote:

> As far as I know, 172.0.1.216 is not assigned, yet.
> 
> whois -h whois.arin.net 172.0.1.216
> [whois.arin.net]
> #
> # Query terms are ambiguous.  The query is assumed to be:
> #     "n 172.0.1.216"
> #
> # Use "?" to get help.
> #
> 
> No match found for 172.0.1.216.
> 
> 
> 
> #
> # ARIN WHOIS data and services are subject to the Terms of Use
> # available at: https://www.arin.net/whois_tou.html
> #
> 
> Also, when you check BGP routing table, it is not routed at all.
> 
> route-server.as3257.net>sh ip bgp 172.0.1.216
> % Network not in table
> route-server.as3257.net>
> 
> So it seems like forged IP address.
> 
> Alex
> 
> 
> On Sun, Jan 15, 2012 at 1:37 AM, Ted Fischer <ted at fred.net> wrote:
>> Hi all,
>> 
>>   Tearing what's left of my hair out.
>> 
>>   A customer is getting scanned by a host claiming to be "172.0.1.216".
>> 
>>   I know this is bogus, but I want to go back to the customer with as
>> much authoritative umph as I can (heaven forbid they just take my
>> word).
>> 
>>   I'm pretty sure I read somewhere once that 172/12 was "reserved" or
>> something like that.  All I can find now is that 172/8 is "administered by
>> ARIN".  Lots of information on 172.16/12, but not a peep about
>> 172/12.
>> 
>>   If anybody could provide some insight as to the
>> allocation/non-allocation of this block, it would be much appreciated.
>> 
>>   Thanks.
>> 
>> Ted Fischer
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>