Private IP addressing , routable now ? ..

!30

Hy to all , I have a big big doubt , that I tought that I resolved , but now I realise that I don't , a mistery maybe an not understanding thing for me , let's explain to you :

In my contry , we have a forum , forum server's are in Bucharest .Administrator's can see all IP's of the user's who connect and post in the forum . But here come's the mistery.The administrator's sometime see in user's IP address { user's that are not in the internal netowrk with forum server's } private IP.How can , some user's that are not from internal netowrk with forum server's to apear in forum database's , with private Ip addressing ? There are user's fom outside Romania that appear with private IP , altough they should appear with a public / routable IP address ? no? really.

I though that user's in the internal netowrk with forum server's will appear with a private address { because they are on a itnernal netowrk with private Ip addressing } , but why other's user's appera with internal Ip / private Ip's to ? which are from far far away ?


I though that is something with tunnels , VNP's , or something like , that , or some problem's with database's that show's Private Ip for some admnistrative reason's , but many of them appear with them Pulbical , translated Ip address , routable one.

Can someone exlapin me the thing , altough I think is just a very simp,e thing ?

Thank's in advance !

bighornsheep

just because a script can track the internal private ip, doesnt mean the IP address is routable. Some older scripts can not process NAT information and therefore tracks the private ip instead of the public shared IP address.

I believe this was a problem with many CGI-based forums. Non-routable Private-class IP address means that you can't search for host such as 10.0.0.1 and expect your gateway to hop that to the next router because it will discard the request.

!30

ya , right , but why some IP's appear with the routable IP address { altough in internal netowrk they use a private one } and some appear with the private Ip address ? it is the same script :P
why some appear with the rotuable and some with the private

blackzone

private IP address is not routable over the internet.

If you are the administrator of the network and web server, feel free to inspect. Else I probably suggest find some better thing to do with the time given to you.

drpower555

Sometimes private IP's do escape into the wild. Through incorrect firewall settings or SOHO routers. Dont ask me how because I dont know. But there are a number of servers running on the internet specifically to collect these wild Private IP's, these servers are named, "blackhole". Look them up and check it out.

keatron

In an humble attempt to add some completion to this discussion, it should be pointed out that non-routable does not mean "can't be touched". With the proper use of SSH tunneling and/or GRE tunneling techniques, you can in a makeshift botchy fashion route to an internal host regardless of the class of IP. While it's not really routing in a traditional sense, the technique renders the same result as a traditional route. I might post a demonstration of this in the C|EH forum but I still haven't quiet decided what's a little too much to be posting on a public forum.

Webmaster

In an even more humble attempt to add something to this topic: the administrator should configure the server to drop incoming requests with a source address in the private address range (to prevent spoofing attacks...) if this is not done already. Regardless of whether the forum software gets the connected IP address from the web server directly or the HTTP environment variable REMOTE_ADDR, both are not necessarily the real source.

Danman32

But how would the forum be able to reply to the packet if the source address was spoofed? It doesn't sound possible to complete a TCP connection with an spoofed private source address.

Webmaster

Danman32 wrote:

It doesn't sound possible to complete a TCP connection with an spoofed private source address.

It would indeed not complete a handshake with host in the public areas of the Internet. Which is exactly one of the main goals for malicious individual spoofing the source address in the first place. It would allow one to perform a DoS attack with a single PC by starting, but not completing, numerous TCP connections from seemingly different sources. I actual removed a line from my reply before posting, asking if they used custom forum software, as indeed they would 'normally' not show up in the forums as connected. Nevertheless, that doesn't mean you can trust the IPs that are listed to be authentic. Another goal of the malicious individual could be to target (blame) or spoof an internal host, that does have a private IP (which the malicious individual would use as the source IP in spoofed packets). I.e. when only that internal host is allow to perform certain task on the server. Obviously this should not be possible without badly configured systems, but it surely isn't impossible.

Danman32

But I thought the reporting mechanism was of connected IPs, not DoS IPs. I couldn't see a forum knowing anything about a spoofed packet without the TCP completing its handshake first.

Now if the forum had a script in it that ran client-side, then it could pick up the IP of the host running the browser rather than the connection the server sees.

Webmaster

I'm not sure what else I could add that would add to the topic and without going into dangerous details, but I'll give it one more shot:

But I thought the reporting mechanism was of connected IPs, not DoS IPs.

I don't know what reporting mechanism their forums use. Any software on the server could know what the server knows. It could display all incoming requests on the NIC rather than just clients who successfully complete HTTP/TCP requests. I agree it should not, would be bad design, and ours doesn't, hence why I wondered if they're using some badly designed custom forum software that shows 'everything' (basically netstat info).

The report mechanism of the forum could also use a logging system, and not directly display the results from the server but what was logged to the database (over the past X minutes). In which case the IP address is 'merely' a field in the database, even less trustworthy (which could be injected/altered regardless of the real source IP, allowing a malicious individual (i.e. spambot) to prevent his real IP from getting banned.)

The main point is, you cannot just assume information to be authentic just because it 'should' work that way. Dropping private and other reserved networks should be mandatory rules in e.g. Linux's IP tables. If it doesn't solve the real problem, you will at least have considered and excluded it as a possible cause.