[funsec] Interesting routes, info appreciated....

[der Mouse]

> I see in my log files that I get probed from 119.161.130.75 on an
> almost hourly basis (make dumb joke here), udp port scans, brute
> force password attempts, nothing to out of the ordinary which is why
> I ask help from the funsec community.

Sounds like a good candidate for border router blocking.  But that
wasn't what you were asking....

> Check out this log and tell me what is going on here.

> Hop 12 is the handoff from Sprint to China net.

Everything past this point is of questionable reliability, at best.

> Hop 22 is a static route provided by GE with an IP of 3.3.3.2
> Hop 23 is DoD Experimental IP space
> Hop 24 is the host harassing me.

> Why would I see a static route from GE here and then DoD IP space?  I
> am just curious as I think this is a strange path to get to the host
> that resides at hop 24.

Because someone in Chinanet is (ab)using 3/8 and 6/8 as if they were
RFC1918 space, would be my guess.  Back when I was still bothering to
actively fight network abuse, Chinanet was one of the worst offenders,
one of the first I blanket-blocked.

If the net were run by people who cared more about having a
well-functioning net than something else (lining their own pockets
would be my guess, but I don't actually know), Chinanet would long ago
have been kicked off the net (or at least threatened with it; if the
threat of penalties were credible, it might work).

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse at rodents-montreal.org
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B