Bogon sightings


Mills@UDEL.EDU
Tue, 20 Oct 87 20:01:27 EDT


Folks,

A couple of days ago, while working on modifications to some intricate
routing algorithms, a bogus squawk for net 0.0.0.0 escaped our swamps
and landed at the core gateways. The squawker got plugged pretty quick,
but may have uncorked some pretty strange bogons in the process. First,
some hosts, in particular a UTexas dude, began believing the squawker
10.2.0.96 was the gateway to Oz and other wondrous places, so began
sending mail, domain-name requests and other stuff to that address.
All this wouldn't have mattered much, since the squawker should advise
all squawkees via ICMP Unmentionable messages to do otherwise.

Alas, the squawker had a bug which simply accepted all traffic landing
there, rather than refuse or redirect it. That was caught very quick,
you might surmise, but not before a lot of domain-name requests to
the BRL rootservers appeared (!!) and were in fact dutifully answered
correctly. A few mail messages landed also, but were automatically
forwarded to the correct destinations (some recipients are not going to
believe the return path!). All this was pretty embarassing, but inexplicable,
unless the bogon released and then contained a couple of days ago were
implicated and the implication that 0.0.0.0 was "default to anywhere"
persisted for a surprisingly long time.

Now the good part. Today I say an RWHOm (UDP port 513) appear at the
squawker with source address 1.1.1.1 and destination 1.0.0.0. Er, ah.

Yoboy. Please send in the UFO team. I though you might get a chuckle
out of this. Me, I'm somewhere between hilarity and catatonic shock.

Dave



This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:39:35 GMT