Discussion:
Rouge DHCP server?
(too old to reply)
BP
2005-07-10 17:54:10 UTC
Permalink
I'm in Scripps Ranch and seem to be seeing someone running a DHCP
server with an adddress of 10.76.128.1. This IP address also shows up
in my IDS logs as trying to access my network over 800 times since
May.

Does anyone know if this is a valiad RR server?

BP
Darren New
2005-07-10 18:05:13 UTC
Permalink
Post by BP
I'm in Scripps Ranch and seem to be seeing someone running a DHCP
server with an adddress of 10.76.128.1. This IP address also shows up
in my IDS logs as trying to access my network over 800 times since
May.
Does anyone know if this is a valiad RR server?
10.* is an unroutable address. In theory, that address has to be coming
from inside your own network. It should be able to go from RR's network
thru the modem and vice versa. I.e., it sounds like your modem itself.

Are you plugged into some sort of router/NAT/wireless whatever, or
directly into the modem?
--
Darren New / San Diego, CA, USA (PST)
The samba was clearly inspired
by the margarita.
BP
2005-07-12 17:50:29 UTC
Permalink
Yes, I know it's nonroutable which is why I am puzzzled. BTW, I have
a hardware firewall and a wireless access point both of which are as
secure as you can set up.

More details:

In configuring a new wireless laptop, I apparently got on to another
unprotected network. After running ipconfig, I wondered why the
assigned address was not on my private network. So I did tracert
to 24.25.195.2 to see if I had broken something on my network or
otherwise screwed up my network gear.

To my surprise, I found a hop of 10.76.128.1 in the mix. I realized
I was not on my network and reset my wireless nic to my net. A few
days later, I noticed there were enteries in my logs from the
10.76.128.1 address from even before I accidently was on the other
wireless net. Humm...

I changed cable modems sometime during all of this and had to run the
install directly from my other computer without the firewall in the
mix and what do you know? ipconfig showed that my dhcp server was,
tada, 10.76.128.1!

Soo, I went back on the other wireless net, went to GRC.com to log the
ip address, and went to the cable modems interface and screen captured
the data there for future reference.

I am really getting the feeling someone is doing something phishy.

What do you think? Time to get RR involved or am I being paranoid?

BP
Post by Darren New
Post by BP
I'm in Scripps Ranch and seem to be seeing someone running a DHCP
server with an adddress of 10.76.128.1. This IP address also shows up
in my IDS logs as trying to access my network over 800 times since
May.
Does anyone know if this is a valiad RR server?
10.* is an unroutable address. In theory, that address has to be coming
from inside your own network. It should be able to go from RR's network
thru the modem and vice versa. I.e., it sounds like your modem itself.
Are you plugged into some sort of router/NAT/wireless whatever, or
directly into the modem?
Purple Moose
2005-07-13 06:12:35 UTC
Permalink
Post by BP
I changed cable modems sometime during all of this and had to run the
install directly from my other computer without the firewall in the
mix and what do you know? ipconfig showed that my dhcp server was,
tada, 10.76.128.1!
Soo, I went back on the other wireless net, went to GRC.com to log the
ip address, and went to the cable modems interface and screen captured
the data there for future reference.
If you can get onto someone else's net, I seriously doubt they're smart
enough to do anything to you. Just out of curiosity, I stuck that IP into
a Google search. I found one guy's posted traceroute on BroadBandReports.
It looks kind of inside out to me because the rr.com IP comes first and
THEN your same IP. That looks to me like something internal to
Roadrunner. Sounds like you're both on RR. Maybe it's another router
doing DHCP itself?

1 1 ms 1 ms 1 ms cpe-66-74-206-220.san.res.rr.com [66.74.206.220]
2 9 ms 9 ms 10 ms 10.76.128.1
3 6 ms 7 ms 7 ms srsdca1-rtr1-ge2-2.san.rr.com [24.25.192.50]
4 11 ms 31 ms 63 ms WCSDCA1-GSR3-SRP0.san.rr.com [24.25.196.2]
5 28 ms 11 ms 11 ms so-0-0-0-0.gar1.SanDiego1.Level3.net [209.0.8.1]
--
Purple Moose
Remove the dash to reply
Darren New
2005-07-13 15:27:51 UTC
Permalink
Post by Purple Moose
If you can get onto someone else's net, I seriously doubt they're smart
enough to do anything to you.
You might want to look up the expression "Honeypot."
--
Darren New / San Diego, CA, USA (PST)
The samba was clearly inspired
by the margarita.
Purple Moose
2005-07-15 20:45:34 UTC
Permalink
Post by Darren New
You might want to look up the expression "Honeypot."
Har! I know what they are. I seriously doubt someone is running one off a
RR residential wireless ip.
--
Purple Moose
Remove the dash to reply
BP
2005-07-13 15:56:15 UTC
Permalink
OK, I appreciate your input. Appears that there is nothing to worry
about.

BP

On Wed, 13 Jul 2005 06:12:35 GMT, Purple Moose
Post by Purple Moose
Post by BP
I changed cable modems sometime during all of this and had to run the
install directly from my other computer without the firewall in the
mix and what do you know? ipconfig showed that my dhcp server was,
tada, 10.76.128.1!
Soo, I went back on the other wireless net, went to GRC.com to log the
ip address, and went to the cable modems interface and screen captured
the data there for future reference.
If you can get onto someone else's net, I seriously doubt they're smart
enough to do anything to you. Just out of curiosity, I stuck that IP into
a Google search. I found one guy's posted traceroute on BroadBandReports.
It looks kind of inside out to me because the rr.com IP comes first and
THEN your same IP. That looks to me like something internal to
Roadrunner. Sounds like you're both on RR. Maybe it's another router
doing DHCP itself?
1 1 ms 1 ms 1 ms cpe-66-74-206-220.san.res.rr.com [66.74.206.220]
2 9 ms 9 ms 10 ms 10.76.128.1
3 6 ms 7 ms 7 ms srsdca1-rtr1-ge2-2.san.rr.com [24.25.192.50]
4 11 ms 31 ms 63 ms WCSDCA1-GSR3-SRP0.san.rr.com [24.25.196.2]
5 28 ms 11 ms 11 ms so-0-0-0-0.gar1.SanDiego1.Level3.net [209.0.8.1]
relic
2005-07-10 18:06:20 UTC
Permalink
Post by BP
I'm in Scripps Ranch and seem to be seeing someone running a DHCP
server with an adddress of 10.76.128.1. This IP address also shows up
in my IDS logs as trying to access my network over 800 times since
May.
Does anyone know if this is a valiad RR server?
BP
It's a Private LAN IP Address. See RFC 1918.
http://www.faqs.org/rfcs/rfc1918.html
David Rees
2005-07-13 08:38:54 UTC
Permalink
Post by BP
I'm in Scripps Ranch and seem to be seeing someone running a DHCP
server with an adddress of 10.76.128.1. This IP address also shows up
in my IDS logs as trying to access my network over 800 times since
May.
Does anyone know if this is a valiad RR server?
Yes, RR uses private networks for some of it's servers. Traceroutes for me
run through 10.73.0.1.

$ traceroute -n www.google.com
traceroute: Warning: www.google.com has multiple addresses; using
66.102.7.104
traceroute to www.l.google.com (66.102.7.104), 30 hops max, 38 byte packets
1 10.73.0.1 12.896 ms 10.072 ms 10.722 ms
2 24.25.192.110 9.829 ms 10.683 ms 7.173 ms
3 24.25.196.1 20.349 ms 11.966 ms 11.953 ms
4 24.25.193.2 9.914 ms 10.751 ms 11.457 ms
5 209.0.8.1 14.281 ms 37.164 ms 12.210 ms
6 4.68.113.93 23.052 ms 22.024 ms 15.169 ms
7 209.247.9.114 24.115 ms 4.68.128.157 27.962 ms 209.247.9.114 34.911
ms
...

-Dave
BP
2005-07-13 15:37:53 UTC
Permalink
On Wed, 13 Jul 2005 08:38:54 GMT, "David Rees"
Post by David Rees
Post by BP
I'm in Scripps Ranch and seem to be seeing someone running a DHCP
server with an adddress of 10.76.128.1. This IP address also shows up
in my IDS logs as trying to access my network over 800 times since
May.
Does anyone know if this is a valiad RR server?
Yes, RR uses private networks for some of it's servers. Traceroutes for me
run through 10.73.0.1.
$ traceroute -n www.google.com
traceroute: Warning: www.google.com has multiple addresses; using
66.102.7.104
traceroute to www.l.google.com (66.102.7.104), 30 hops max, 38 byte packets
1 10.73.0.1 12.896 ms 10.072 ms 10.722 ms
2 24.25.192.110 9.829 ms 10.683 ms 7.173 ms
3 24.25.196.1 20.349 ms 11.966 ms 11.953 ms
4 24.25.193.2 9.914 ms 10.751 ms 11.457 ms
5 209.0.8.1 14.281 ms 37.164 ms 12.210 ms
6 4.68.113.93 23.052 ms 22.024 ms 15.169 ms
7 209.247.9.114 24.115 ms 4.68.128.157 27.962 ms 209.247.9.114 34.911
ms
...
-Dave
OK, thanks Dave. I appreciate it.
stevech
2005-07-14 05:28:10 UTC
Permalink
I would imagine that all of a region's routers and managed switches are in
net 10.
I had to correct spelling in subject - it was driveng mi crasy
Loading...