Re: Question on 7.0.0.0/8

Jon R. Kibler Fri, 13 Apr 2007 22:36:54 -0700


CYMRU has 7/8 listed as a bogon:
        http://www.cymru.com/Documents/bogon-dd.html


Their list is more or less authoritative, so I would believe that you should 
never see traffic from that netblock. This is also consistent with Sprint 
blackholeing it as a bogon in your original post.

That said, it doesn't mean that the netblock is unused. Most likely it is a 
netblock that DoD actually uses, but it is only routed on DoD's private 
backbone and never on the Internet.

If you are seeing traffic to/from that netblock, there are two possibilities 
that come to mind:
   1) Spoofed source IPs on UDP and ICMP traffic.
   2) If it is TCP traffic, then probably someone has hijacked the netblock and is 
publishing BGP routes to it. Hijacking unallocated netblocks has been a common 
spamming technique for at least 10 years -- although with today's botnets it does 
not appear to be as commonly used (IMHO). Also, the spammers usually try to hide 
within smaller unallocated netblocks (< /16) of allocated netblocks (a little 
less obvious and less likely to be blackholed).

If you are seeing traffic to/from this netblock, PLEASE do a traceroute back to 
that IP -- in fact do several from different networks -- to make it easier for 
law enforcement to trace back to the hijacker. Also, try using something more 
smarter than standard traceoute, such as:
        http://www.paris-traceroute.net/

If you are seeing traffic from hijacked netblocks, contact your local 
InfraGuard group -- I know the FBI will be VERY interested in that information.

Jon Kibler



william(at)elan.net wrote:



Anybody know if 7.0.0.0/8 is or is not allocated to DoD?
The data at IANA and ARIN is kind-of confusing...

---------------------------------------------------------------
7.1.1.0/24 ## AS1239 : SPRINTLINK : Sprint
           7.0.0.0 - 7.255.255.255 ## Bogon (unallocated) ip range
---------------------------------------------------------------
http://www.iana.org/assignments/ipv4-address-space
007/8   Apr 95   IANA - Reserved
---------------------------------------------------------------
[IPv4 whois information for 7.0.0.1 ]
[whois.arin.net]

OrgName:    DoD Network Information Center
OrgID:      DNIC
Address:    3990 E. Broad Street
City:       Columbus
StateProv:  OH
PostalCode: 43218
Country:    US

NetRange:   7.0.0.0 - 7.255.255.255
CIDR:       7.0.0.0/8
NetName:    DISANET7
NetHandle:  NET-7-0-0-0-1
Parent:
NetType:    Direct Allocation
Comment:
RegDate:    1997-11-24
Updated:    2006-04-28

OrgTechHandle: MIL-HSTMST-ARIN
OrgTechName:   Network DoD
OrgTechPhone:  +1-800-365-3642
OrgTechEmail:  [EMAIL PROTECTED]


--
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
(843) 849-8214

Re: Question on 7.0.0.0/8

Reply via email to