Internet Storm Center

Monday, September 13th was generally quiet. SSH probes, telnet
probes, and phishing web sites continue to show up as common themes.

One individual pointed out some problems in the .ws top-level
domain. While some domains themselves resolved, there did not appear to
be any nameservers for the .ws TLD. The problem is now resolved.

One common problem we encounter are Voice over IP (VoIP) and
other audio applications that open audio streams. These tend to use a
steady, if not large, amount of bandwidth. The directory lookup
feature, especially in Skype, tends to be rather noisy - I personally
forgot Skype was running at one point and was alarmed at the number of
outgoing connection attempts on my network wire.

Skype: http://www.skype.com
Vocaltec: http://www.vocaltec.com
RealAudio: http://www.real.com

One question came in from a user about IP addressing. In IPv4,
here are the network addresses that shouldn't show up on your network
cable:

127.0.0.0/8
This is legal on the loopback interface, though.

224.0.0.0/4
Illegal as a source address, or as a destination address for
anything but udp or igmp.

240.0.0.0/4
Although 255.255.255.255 is occasionally used as a legal
destination.

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
These are reserved for internal use. They shouldn't show up as
the source or destination address of packets crossing the Internet.

The last block of illegal addresses are the "bogon" networks; IP
address blocks that have not been allocated. This list changes as new
IP blocks are handed out, so it's best to get these from a source from here:
http://www.cymru.com/Documents/bogon-bn-agg.txt
Finally, Mark Cooper will be leaving the handler's team. On
behalf of the team, thank you, Mark, for taking part.

---- Handler on duty, William Stearns wstearns@pobox.com
http://www.stearns.org/ (security papers and tools)