My webapp received a request from 10.18.255.249 (but the 10.0.0.0/9 cidr block is reserved) according to https://www.arin.net/knowledge/rfc/rfc1918.txt
How is this even possible?
views:
44answers:
4
A:
I think it is a forged request; this kind of IP is not routable over the Internet. Some Linux kernel report them as "alien traffic".
It is maybe some kind of bot that makes DoS or DDoS because only the Web request matters, not the response.
Laurent Etiemble
2010-01-25 07:11:50
This is incredibly unlikely. Attempting to spoof a TCP connection is as difficult as guessing the exact initial sequence number of the server's SYN+ACK packet (which the attacker will never see). The web server's accept() call will not return until the connection has fully established, so would never log anything about a single spoofed SYN packet.
jdizzle
2010-01-25 14:51:50
A:
It's certainly possible; net 10 is a private address space, for internal networks to organisations. Sometimes net 10 addresses leak out in various places in upper layer protocols. It is even possible that there is a net 10 inside your hosting facility, and it's actually for real rather than a mistake.
Andrew McGregor
2010-01-25 07:13:43
+2
A:
10.0.0.0/8 is reserved for internal private networks. If you are in a corporate environment, there will be frequent IP addresses handed out in this range.
While they're not supposed to got out over the internet, big companies will have packets using that range flying all over the place.
If you're receiving this in a hosted environment (i.e., your web app faces the internet), it's possible that your hosting provider is hitting your page. I've seen this happen with performance monitoring tools that were installed to monitor service level agreements.
paxdiablo
2010-01-25 07:25:53
A:
The request is probably coming from inside the network of wherever your box is and not from the internet. Ask you hosting provider about what NATed network blocks are in their network.
jdizzle
2010-01-25 14:54:18