I thought that the 192.x.x.x ip addresses were supposed to be non-routable on the internet? I get a ton of UDP Packet sig 4000 sub sig 69 from source addresses of 192.x.x.x. They actually just started today. Does anyone know the answer to the 1st question and maybe someone might know about the UPD Packet sig 4000 sub sig 69 (src port 53 / dest port 69 which leads me to think something wants to do tftp..?)
Actually, 192.168.x.x addresses are private. If the IP addresses are not in this range they are ligit. As for the sig 4000 we ran into a similar situation with one of our sites. We had a PIX that was performing pat and when we investigated the conn table on the pix we found that one of the internal boxes got patted to source port 69 when doing dnz queries. This also lit up our IDS sensor for tftp connections. We were getting hundreds of connections an hour. We killed the connection and watched the conn table again and that box got patted to another low end port <1024 but not 69. That solved our problem.
And what you described about the PIX / pat & the internal box with a source port of 69 - was probably exactly what happened - we got hammered for about 1 1/2 hours & then nothing - so the user probably turned their system off.
192.168.x.x are private addresses, and are not routable on the Internet. However, not routable means that no packed with this address as a destination field will get delivered once it's left your enterprise. There's nothing in the default config of most ISP's or enterprises that prevent the delivery of a packet with a private address as a SOURCE address.
Look at the 12th hop. When their router expires the traceroute packet due to TTL expiration, the router sent us an ICMP type 11 packet notifying us of this and it was addressed with a source address of their router. In this case, it was 192.168.255.252.
You won't be able to address a packet to it as a destination because it is a non-routable address. But nothing except a border router's ingress ACL will filter it - and most enterprises don't put such filters in place. No major ISP that I know of will filter a RFC1518 address when it is the *SOURCE* address.
I had to use a public traceroute server because we do filter inbound packets. :-)
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...