At 02:55 PM 10/28/2010, Brielle Bruns wrote:
Okay, so this has my head hurting a bit just trying to figure out
just how this is possible and what kind of equipment would pull this stunt.
misconfig of a p2p addr somewhere ? perhaps someone used 0.0.0.0/30
as a p2p addr for kicks.
e.g. I just tried this at home.
on a next hop router,
# ifconfig igb1 0.0.0.0/30 alias
on a node/workstation behind the above router
0(i5)# ifconfig em0 0.0.0.1/30 alias
0(i5)# route add 173.194.32.104 0.0.0.0
0(i5)# telnet -s 10.255.255.27 173.194.32.104 80
Trying 173.194.32.104...
Connected to yyz06s05-in-f104.1e100.net.
Escape character is '^]'.
And looking for the arp who has, it is indeed asking for 0.0.0.0's
MAC addr for the next hop.
15:07:38.308758 00:15:17:ed:36:e5 > ff:ff:ff:ff:ff:ff, ethertype ARP
(0x0806), length 60: Request who-has 0.0.0.0 tell 0.0.0.1, length 46
15:07:38.308764 00:30:48:94:88:21 > 00:15:17:ed:36:e5, ethertype ARP
(0x0806), length 42: Reply 0.0.0.0 is-at 00:30:48:94:88:21, length 28
---Mike
Tracing from here (cableone cable modem) to the outside world, I end
up with the following at the beginning of my traceroute.
1 192.168.1.1 (192.168.1.1) 2.759 ms 0.803 ms 0.769 ms
2 0.0.0.0 (0.0.0.0) 10.462 ms 9.543 ms 8.043 ms
3 192.168.32.65 (192.168.32.65) 9.984 ms 9.654 ms 9.570 ms
4 te-4-4.car2.seattle1.level3.net (4.53.146.117) 25.960
ms 21.798 ms 24.144 ms
.... etc
0.0.0.0 as one of the hops. So, I pulled out LFT to make sure
traceroute isn't going nuts.
Layer Four Traceroute (LFT) version 3.1
Using device en1, 192.168.1.101:53
TTL LFT trace to 207.70.17.213:80/tcp
1 192.168.1.1 0.9/0.9ms
2 /9.8/10.3ms
3 192.168.32.65 9.7/8.3ms
4 10.255.255.1 9.1/8.4ms
5 te-4-4.car2.seattle1.level3.net (4.53.146.117) 29.0/20.2ms
Fun, no entry for hop 2, plus there's an extra hop at #4. Lets use verbose.
Layer Four Traceroute (LFT) version 3.1 ... (verbosity level 2)
Using device en1, 192.168.1.101:53
SENT TCP TTL=1 SEQ=648736948 FLAGS=0x2 ( SYN )
SENT TCP TTL=2 SEQ=648736949 FLAGS=0x2 ( SYN )
RCVD ICMP SEQ=648736948 SRC=192.168.1.1 PTTL=1 PSEQ=648736948
SENT TCP TTL=3 SEQ=648736950 FLAGS=0x2 ( SYN )
SENT TCP TTL=4 SEQ=648736951 FLAGS=0x2 ( SYN )
SENT TCP TTL=5 SEQ=648736952 FLAGS=0x2 ( SYN )
SENT TCP TTL=6 SEQ=648736953 FLAGS=0x2 ( SYN )
RCVD ICMP SEQ=648736949 SRC=0.0.0.0 PTTL=2 PSEQ=648736949
SENT TCP TTL=7 SEQ=648736954 FLAGS=0x2 ( SYN )
RCVD ICMP SEQ=648736950 SRC=192.168.32.65 PTTL=3 PSEQ=648736950
RCVD ICMP SEQ=648736951 SRC=10.255.255.1 PTTL=4 PSEQ=648736951
RCVD ICMP SEQ=648736953 SRC=4.68.105.30 PTTL=6 PSEQ=648736953
Am I going nuts, or is something really messed up somewhere upstream
from the cable modem? To quote someone from IRC who's just as
confused, "the null route just talked to me".
--
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org / http://www.ahbl.org
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, m...@sentex.net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
