Network weirdness

anonymous234

The facts:

• Main router has address 192.168.0.1
• All devices I tried (including the current computer) have address = 192.168.0.X , netmask= 255.255.255.0
• Mystery rogue router seems to be on 192.168.1.1. Responds to HTTP, HTTPS, FTP and telnet, though I can't get in with any password I've tried.
• Here comes the weird part. I've anonymized the IPs slightly:

~# traceroute 192.168.1.1
traceroute to 192.168.1.1 (192.168.1.1), 30 hops max, 60 byte packets
 1  gateway (192.168.0.1)  0.854 ms  2.058 ms  3.758 ms
 2  static-10-X-X-87.ipcom.comunitel.net (87.X.X.10)  21.922 ms  22.991 ms  24.527 ms
 3  10.X.X.14 (10.X.X.14)  25.836 ms  27.886 ms  29.112 ms
 4  static-82-X-X-217.ipcom.comunitel.net (217.X.X.82)  40.360 ms  41.382 ms  42.183 ms
 5  * * *
 6  * * *
etc...

• Comunitel.net seems to be a owned by Vodafone, my current provider. The ping times are within what the wi-fi latency seems to be now. But why the hell am I seeing an external IP and a 10.x.x.x IP there? Is my local network leaking into the slightly-less-local-network or something?
• None of those IPs are my IP either, though it's also in the 87.X block.

e4tmyl33t

Do you have a combination modem/router or separate devices?

devjoe

@anonymous234 My first guess is that comunitel is misconfigured so that you are seeing parts of other people's local networks.

izzion

@anonymous234

Well, it's not that uncommon for ISPs to use RFC1918 addresses for internal network devices / routing hops -- at this point "public" addresses are actually pretty seriously scarce, so switching to "private" addresses for the infrastructure devices and only using "public" addresses for customers is the first step to keep things running (then you get into Carrier Grade NAT, and all sorts of more ugly beyond that, since IPv6 is still pretty high on the scary list)

I'm not familiar with Vodafone's connectivity situation, but making a guess at it from BGPlay, it looks like the AS your connectivity is in gets nearly all of it's connections from a single upstream AS that's Vodafone UK. My guess is there's probably a device that's plugged in wrong at the CO and it's "routeable" onto the core network by mistake, so your traffic gets there and sees the link and routes over to it.

Not really anything harmful, per se. Just more of an indication of why DNS amplification attacks occur - ISPs don't set up their "customer edge" equipment to filter IPs and drop traffic from unexpected / invalid IPs (which in the DNS amplification attack situation allows for forged traffic from the attacker to look like it's coming from the victim, causing an innocent 3rd party to bombard the victim with packets).

fbmac

@izzion Someone should start a hosting service that is cheaper if you accept it to have only ipv6 addresses, to kick-start it's adoption

izzion

@fbmac
The problem is, there's generally no way for an IPv4 client to access services on the IPv6 Internet. It just wasn't engineered for that sort of cross-compatibility. There are ways for IPv6 clients to access IPv4 resources, but they're generally some sort of tunneling solution and/or Carrier Grade NAT.

Basically, the rocket surgeons that invented IPv6 figured that the easy part would be getting end user connectivity changed, and the hard part would be getting hosted services converted, so that's the direction they implemented "backwards compatibility". And so we're stuck in this never-never land where many key Internet services are maintaining both IPv4 and IPv6 services, and end-users can't get upgraded because their ISP's backbone or their own home router equipment doesn't support it, so the IPv6 rollout can't churn on.

(In all actuality, the problem will likely solve itself within the next 3-5 years - equipment that's old enough to not support IPv6 is old enough it's starting to fail en masse. But that doesn't change the IPv4 realities of the present.)

anonymous234

Oh my....

So, 192.168.1.1 and 192.168.1.2 appear to be identical routers (possibly the same one). Then there's 192.168.1.200:

Host is up (0.028s latency).
Not shown: 996 filtered ports
PORT    STATE  SERVICE  VERSION
25/tcp  open   smtp     Microsoft Exchange smtpd
| smtp-commands: SRVMAIL.[companyname].local Hello [87.X.X.X], SIZE, PIPELINING, DSN, ENHANCEDSTATUSCODES, STARTTLS, X-ANONYMOUSTLS, AUTH NTLM, X-EXPS GSSAPI NTLM, 8BITMIME, BINARYMIME, XEXCH50, XRDST, XSHADOW, 
|_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT 
| ssl-cert: Subject: commonName=ssl.[companyname].com/organizationName=[long company name]/stateOrProvinceName=[province name]/countryName=ES
| Issuer: commonName=FortiGate CA/organizationName=Fortinet/stateOrProvinceName=California/countryName=US

[...]

113/tcp closed ident
443/tcp open   ssl/http Microsoft IIS httpd 7.5
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
| ssl-cert: 	[same company details]
993/tcp open   ssl/imap Microsoft Exchange 2007-2010 imapd
|_imap-capabilities: AUTH=PLAIN AUTH=NTLM IMAP4rev1 IMAP4 AUTH=GSSAPI CAPABILITY OK CHILDREN LITERAL+A0001 IDLE NAMESPACE UIDPLUS completed
| imap-ntlm-info: 
|   DNS_Domain_Name: [companyname].local
|   DNS_Computer_Name: SRVMAIL.[companyname].local

[...]

Device type: firewall|general purpose
Running (JUST GUESSING): Fortinet embedded (92%), Linux 2.6.X (88%)
OS CPE: cpe:/h:fortinet:fortigate_100d cpe:/o:linux:linux_kernel:2.6
Uptime guess: 22.074 days (since Tue Feb 14 17:52:22 2017)
Network Distance: 5 hops

Where [company] is a food company operating 12 km away. And https://192.168.1.200/ shows the default IIS7 page. Not sure if I want to mess with their email server (or how to do that), so I won't.

izzion

@anonymous234
Yeah, that's falling into the realm of don't mess with that.

I'd probably see if their website has a contact form for their IT deparment, or maybe just let your ISP know you're seeing it and let them handle contacting the customer. But if they're announcing that route out into the ISP's network and the ISP's network is accepting it, that's probably something they're going to want to fix.

Edit: Also, if you're still running port scanner type software against the 192.168.1.0/24 network, I strongly recommend stopping ASAP. IANAL, and especially not one in Spain, but horror stories abound here in the US about people getting charged under Computer Fraud & Abuse statutes for doing that sort of "unrequested penetration testing" of other people's networks, even if they're doing it in a white-hat fashion and reporting their results to the company.

accalia

@izzion said in Network weirdness:

Edit: Also, if you're still running port scanner type software against the 192.168.1.0/24 network, I strongly recommend stopping ASAP. IANAL, and especially not one in Spain, but horror stories abound here in the US about people getting charged under Computer Fraud & Abuse statutes for doing that sort of "unrequested penetration testing" of other people's networks, even if they're doing it in a white-hat fashion and reporting their results to the company.

Some companies have sued people for hacking when their networks get compromised or misconfigired in @anonymous234's case, and the pserson kin @anonymous234's position was doing basic diagnostic steps to figure out wtf was going on....

people sue people for crazier shit every day...... but yeah that's a pretty nasty statute to prosecute on.

fbmac

@accalia It doesn't help that he is @anonymous234 , as in "our company is being hacked by anonymous"

accalia

@fbmac said in Network weirdness:

@accalia It doesn't help that he is @anonymous234 , as in "our company is being hacked by anonymous"

QFAD

fbmac

@accalia I wouldn't delete that one

accalia

@fbmac said in Network weirdness:

@accalia I wouldn't delete that one

just being extra sure. ;-)

also it's true so i got to make the QFT joke

anonymous234

@izzion Well, I'm not scanning anything else, (although it does make me wonder if there are other "internal" networks accessible this way...) I really assumed it was someone on my Wi-Fi at first but I guess that's better.

I realized now that if the router's network mask is set to 192.168.0.x, I shouldn't be able to see local devices in that address anyway, because the router wouldn't send the packets to them. I think?

Also, if there's no one stealing my broadband... then I guess it means my internet is just shitty today.

PleegWat

@anonymous234 said in Network weirdness:

Also, if there's no one stealing my broadband... then I guess it means my internet is just shitty today.

Well, I guess you could always do some packet sniffing.

fbmac

@anonymous234 said in Network weirdness:

I realized now that if the router's network mask is set to 192.168.0.x, I shouldn't be able to see local devices in that address anyway, because the router wouldn't send the packets to them. I think?

If your router has a route for them, I think it will, and weirdly it looks like it has, because you can trace route there

izzion

@fbmac
Nah, it could very easily be that his router is sending to its default gateway (87.X.X.10), and then Comunitel's network does have a route to 192.168.1.0/24, so it's routing the traffic there. And since Comunitel isn't filtering RFC1918 addresses from entering / exiting its backbone, the traffic is completed, and returns to @anonymous234 just fine since the source address of his packet gets NAT'd to the external interface of his router, so the target system knows a routeable IP address to respond to.