Requests from non-routable IPs


#1

Hi all,

I have just joined the NTP pool with my first server and I have noticed in my firewall logs that I’m getting a fair number of NTP requests from the ranges 192.168.0.0/16, 10.0.0.0/8 and 100.64.0.0/10 on my WAN interface.

I’m curious whether that’s normal or not and if yes does anyone know what causes it? Is it just poorly configured routers not rewriting the source IP field or what’s going on?

/Andreas


#2

Hi Andreas,

I’m curious whether that’s normal

Definitely not normal. A provider would never forward packets out of the RFC1918 range to you.
Are these IP numbers 192.168.0.0/16, 10.0.0.0/8 and 100.64.0.0/10 addresses from your LAN ?

// Hans


#3

No they are most definitely not from my LAN. For example I got a burst of requests from the 192.168.113.0/24 range but my LAN is only on the range 192.168.0.0/24.

Right at this moment I’m also getting a few from 10.121.57.130 and more than a few from 100.89.0.0/16 which is, at least according to Wikipedia, supposed to be part of a block reserved for carrier-grade NAT.

And again this all logged as inbound requests on my WAN interface.

Edit:
Regarding the carrier NAT IPs my ISP actually do utilize that but I have bought a proper routable IP since otherwise I wouldn’t be able to host servers at all. I have also never seen packets with these kinds of source IPs before now and all of them are for UDP port 123.

Edit2:
This is what my firewall log looks like right now, filtered to only show blocks for requests to port 123.
https://pastebin.com/GEgz9s9G

I’m wondering more and more if this is somehow caused by my ISP and it using carrier NAT. Is it somehow possible that devices from other customers at this ISP using the NTP pool are being routed to my WAN using their internal carrier NAT’d IP instead of the shared WAN IP? Don’t know if that makes sense, I am by no means a networking expert.

/Andreas


#4

It depends on what you mean by normal. :smiley:

Is it valid? No.

Do Pool clients send a cornucopia of invalid traffic? You betcha.

I don’t think there’s any reason to believe you or your ISP are doing anything wrong. It’s possible, but my servers have always received similar traffic, so it’s probably “legitimate” bogus traffic from real clients.

I don’t know what causes it. I’d guess broken NAT configurations, but who knows.


#5

Hi Andreas,

My personal feeling is something goes wrong at your ISP. In the history NAT for UDP was always a problem and obviously it is still an issue.

I would contact the ISP, even if the possibility is small he can change something immediately. Tell him that you are receiving IP addresses out of the RFC1918 block.

// Hans


#6

@mnordhoff
Normal was maybe a poor choice of word, common is probably more accurate. :slight_smile:

I was expecting some junk traffic, I was just surprised by the frequency and how much of it was coming from the same block (100.64.0.0/10). But good to know I’m not alone here. :smiley:

@HansMayer
I tried doing a trace on one of the IPs and to me it looked like it was being routed internally at my ISP but I’m not certain.
So I think I’ll send my ISP a mail although I don’t have high confidence it will reach someone who knows what I’m talking about.

/Andreas


#7

Some months ago, for the first time, and from then on persistently, in my home network connected through ADSL, I noticed a lot of ARP packets like those:
13:16:47.067650 arp who-has 10.16.139.114 tell 10.16.128.1
(My internal networks are 192.168.1, 172.16 and 172.17.) I get around 5 to 10 such arp requests per second for same and different 10.16 addresses. None of those are reachable by traceroute, though all traces pass out of my home towards the ISP and get to their first router.

There is no public time server in my home (I keep them as physical machines on the academic research network), but the 10.xx.xx.xx range should not come into my home!

Why is my ISP expecting that my home network could know where these addresses are, or why is my ADSL modem/router passing them inside?

It may or may not be something which is similar to your situation…


#8

That doesn’t mean the original packets were generated within your ISP, though.

People on the other side of the world could be using private IPs that, by coincidence, your ISP also uses.

Edit: The TTLs on the incoming packets could help suggest how far they’ve traveled. Not well, though.


#9

Ahh yes, good point.

I have a friend who is on the same ISP but doesn’t have a static WAN IP. I’m thinking that if I could send some UDP packets from his connection I should be able to see what the source IP is on them.


#10

Hi Folks,

Just joined and spotted this thread!

The Internet and ISP’s will route RFC 1918 addresses. One of the things a good Internet operator does in this case is simply put in firewall rules in your firewall to block all inbound RFC1918 address space.

I recommend doing this to stop the inbound accesses and then check the success or deny of the traffic to confirm.

This protects you no matter where the packets came from on the Internet, including your ISP.