One point to note.

Post #36,713

4/28/02 12:24:35 PM

One point to note.

If the firewall is poorly set up so that it just checks the IP address of an incoming packet to determine whether it's local or not, it can be "spoofed" by a computer on the external network claiming to be local. Class A, B, and C IP addresses are for use only with private networks. They should never be seen on the internet, so if your firewall receives a packet from a computer in one of these ranges, it's likely an attempt to hack it.

This problem is easily defeated by configuring the firewall to ensure these IP addresses are only accepted on the local interface.

Other addresses to watch for are Class D Multicast IP addresses, Class E Reserved Addresses, and the Loopback address. These shouldn't be accepted either.

Note this is primarily a concern for connecting a private network to the internet. When connecting two friendly private networks you may not need to be this concerned.

Class	Subnet Mask	IP Addresses
Class A	255.0.0.0	10.0.0.0 to 10.255.255.255
Class B	255.255.0.0	172.16.0.0 to 172.31.255.255
Class C	255.255.255.0	192.168.0.0 to 192.168.255.255
Class D	Multicast	224.0.0.0 to 239.255.255.255
Class E	Reserved	240.0.0.0 to 247.255.255.255
Loopback	localhost	127.0.0.1

~~~)-Steven----

"I want you to remember that no bastard ever won a war by dying for his country.
He won it by making the other poor dumb bastard die for his country..."

General George S. Patton

Post #36,723

by Ashton

4/28/02 5:56:18 PM

Ah.. thanks, Steven

That nice list of categories makes the netmask logic more intelligible to even me - and adds a certain clue when I notice in the logs.. a repetitive address attempting several of the cockamamie &^#$^ countless ports, and its address is one of the suspect Class. This especially.. when they increment! This ain't about a misplaced query, but about snooping (I must suppose).

At which point I'm almost moved to do a look-up and pen a poison e-letter to the putative owner of the block, depending upon mood. Dunno if anyone reads such notes, of course - or acts on the info.

I can imagine that an annotated graphical map could be a boon for those learning from scratch. When I was possibly going to help a local non-profit put their private LAN (run by Win 2K-Server, fancy RAID hdwre etc.) on inet:

After I perused a recommended book on the OS, while I found lots of the cautions to be 'common sensical', I also discovered [what all of you already know]: that you'd damn well better be up to speed, not merely in the endless stream of patches from M/Sloth (and what each one might break, while 'fixing' something else) BUT - you must also be not just acquainted with.. but familiar with a large repertoire of modern sophisticated attacks.

I concluded: I was not up-to-speed and unlikely to become so. Fortunately they found a work-around to permit their (limited need) of internet access, which was kept separate from the LAN and its data. I believe this was a shrewd move on their part - after all, the ONLY version of "NT" in all its convoluted forms, to meet [some Color]-Book Certification - achieved that dubious honor, only when isolated from all I/O.

(Moving them to Open Source non-toy OS was of course, also beyond my competence and.. they had the present working system ~ 'free'.)

ie. Security ain't no job for amateurs, today! I watch with amusement as a friend attempts to get his small LAN 'safe' for exposure to the net, while playing with packet sniffers, then looking for FAQs about why he's seeing (say..) lots of NETBIOS queries appearing after a particular change is made. Yada yada ---> ad infinitum. He's learning of course, but..

A Net Policeman's life is not a happy lot..

Ashton
who can think of more entertaining means of self-flagellation than this :(

Post #36,728

by Arkadiy

4/28/02 8:24:08 PM

Some nits with A, B, C.

Classes A, B and C are a bit more than you mention...

Every IP address belongs to some network. Some portion of address denotes a network, the rest is address of host in that network.

The size of network portion depends on the bit pattern at the beginning of it:

>>>>>>>>>>>>>>>>>>>>>>>>>> (from [link|http://www.webopedia.com/DidYouKnow/2002/March/IPaddressing.html|Webopedia])
Class A Network -- binary address start with 0, therefore the decimal number can be anywhere from 1 to 126. The first 8 bits (the first octet) identify the network and the remaining 24 bits indicate the host within the network. An example of a Class A IP address is 102.168.212.226, where "102" identifies the network and "168.212.226" identifies the host on that network.

Class B Network -- binary addresses start with 10, therefore the decimal number can be anywhere from 128 to 191. (The number 127 is reserved for loopback and is used for internal testing on the local machine.) The first 16 bits (the first two octets) identify the network and the remaining 16 bits indicate the host within the network. An example of a Class B IP address is 168.212.226.204 where "168.212" identifies the network and "226.204" identifies the host on that network.

Class C Network -- binary addresses start with 110, therefore the decimal number can be anywhere from 192 to 223. The first 24 bits (the first three octets) identify the network and the remaining 8 bits indicate the host within the network. An example of a Class C IP address is 200.168.212.226 where "200.168.212" identifies the network and "226" identifies the host on that network.

Class D Network -- binary addresses start with 1110, therefore the decimal number can be anywhere from 224 to 239. Class D networks are used to support multicasting.

Class E Network -- binary addresses start with 1111, therefore the decimal number can be anywhere from 240 to 255. Class E networks are used for experimentation. They have never been documented or utilized in a standard way.
<<<<<<<<<<<<<<<<<<<<<<<<<<

So, as we see, all addresses on the Internet belong to an A, B or C network. Certain network inside A space (as well as others inside B and C space) are declared unroutable, never to appear on "real" internet. 10.x.x.x is a class A network that's reserved for this purpose. Another A network, 127.x.x.x is reserved for loopback addresses (so you can have 127.0.0.1 as well as 127.0.0.2 and so on)

However, as Internet grew, it turned out that the smallest network, class C, is not small enough, and there are not enough of them. On the other hand, class A was too big, and there are too many of them.

That's how the concept of subnet was born. We create a bit mask that tells us to interpret some part of host number in IP address as a subnet. Say, we have a class B address 168.20.x.x . Normally, our hosts would have to assume that any host with the address that follows this pattern is on local network. But, since a LAN with 64K devices on it is unwieldy, we introduce 256 subnets, 256 devices each. Now, our netmask is 255.255.255. Each device has to know its netmask to determine whether to send a packet to a gateway or put it directoy on the wire.

Note that subnet masks are not arbitrary. For example, with addresses like 168.20.x.x, you cannot have a mask of 255.0.0.0 . Those addresses are class B, so first 2 octets have to be a network for the benefit of "big" internet routers (they keep tracks of routes to networks according to class A, B and C, they don't know anything about subnets).

Post #36,789

by Steven A S

4/29/02 12:42:37 PM

My error

I had learned about these classes from the private network perspective, so I'd always thought of them by their private networking ranges only. But I guess they extend to public (internet) IP networks as well. Of course it's just the IPs from the private ranges that you have to watch for on the internet.

~~~)-Steven----

"I want you to remember that no bastard ever won a war by dying for his country.
He won it by making the other poor dumb bastard die for his country..."

General George S. Patton

Welcome to IWETHEY!