Eircom cause pandemonium on the Global Internet

spongebob

Do an nslookup

enter the following name

filer3-b.indigo.ie

the culprit responsible for this (or authoritative) server is

auth01.ns.eircom.net

> filer3-b.indigo.ie
Server: auth01.ns.eircom.net
Address: 159.134.237.61

filer3-b.indigo.ie internet address = 192.168.1.1
indigo.ie nameserver = auth01.ns.eircom.net
indigo.ie nameserver = auth02.ns.eircom.net
indigo.ie nameserver = auth03.ns.eircom.net
auth01.ns.eircom.net internet address = 159.134.237.61
auth02.ns.eircom.net internet address = 159.134.237.59
auth03.ns.eircom.net internet address = 159.134.191.34

The WHOLE of the REST of the INERNET is getting this crap .

They have also b4llsed up the 192.168.3.1 range.

M

vibe666

oops. can't help but giggle.

Our man in Havana

Muck, Do you mind explaing this in plain english?

seamus

Originally posted by Bond-James Bond
Muck, Do you mind explaing this in plain english?

/me nods

As far as I can see, the name servers for iler3-b.indigo.ie are
159.134.237.61
159.134.237.59
159.134.191.34

What's the problem?

Capt'n Midnight

Name: filer3-b.indigo.ie
Address: 192.168.1.1

Dearie me, my oh my, gosh..

home users should be ok as long their ADSL box or Router or ICS doesn't use this address

Any bets as to when they'll start using
10. / 172.16. / 169.254. ??

OfflerCrocGod

I thought ICS used 192.168.0.1 I know though, that 192.168.1.1 is used for something reserved but I can't remember what!.

ssh

I used to work in the helpdesk there, and they seemed to be mapping every single 10.255.255.255 address to some 159.233.255.255 address when it hit their routers. The place is something of a mess to say the least.

java

ssh: Are you talking about NAT ?

sirlinux

That record comes from ann.indigo.ie and una.indigo.ie and has been there for years and years, i can remember about 3 years ago setting up a nt4 server on a 64k leased line and seeing it's ip of 192.168.1.1 resolving, had me scratching me head for a few minutes. Seen it many times since.

ozmo

Originally posted by Muck
filer3-b.indigo.ie internet address = 192.168.1.1

Nicely spotted and Bad form on Indigos part - but As long as Indigo dont expect anyone to use their server at that ip address its their though luck.

what is filer3-b.indigo.ie supposed to be for anyway? What would the world be missing out on if routers dont route this ip address

I know some of the guys that used to be in charge of this stuff at indigo - I'll email them and see what they say...

ozmo.

BrianD

Can somebody explain in plain english what the implications are?

sirlinux

Very few implications, unless you want to get to filer3-b.indigo.ie from the big bad internet. It's incredibly bad practice though.

ozmo

Got this from behind enemy lines - quoted as I got it with names removed both ways to protect the quilty

---

> Go on - was it one of you guys

Most likely, but it's not as bad as all that...

Indigo/Eircom are not advertising this stuff to the world, nor could they if they wished. They are advertising RFC1918 address (192.168) in their own forward DNS records (indigo.ie). This is not much worse than advertising incorrect or unreachable addresses in a zone. So long as they do not use RFC1918 addresses for any record which could be used as a public service (i.e a mail server, or another DNS server), this is mostly harmless. The opinion that RFC1918 addresses should *never* appear in a public zone file stems from this, but is not backed up by any DNS RFC's.

On the reverse-zone side of things, 168,192.in-addr.arpa is delegated to IANA, who do nothing with it or its sub domains. This means that any reverse DNS pointers Indigo/Eircom make will only affect their own DNS server - no other DNS server will ever ask it for details about IP addresses in this range. Once again, harmless.

> The WHOLE of the REST of the INERNET is getting this crap .
>
> They have also b4llsed up the 192.168.3.1 range.

Nah, the whole of the internet, as usual, is oblivious to it. About the only part of the internet to notice is filer*.indigo.ie and this guy.


:ninja:

spongebob

Originally posted by ozmo
Indigo/Eircom are not advertising this stuff to the world, nor could they if they wished.

Try this (w2k or xp)

nslookup (your DNS server IP address appears .. so change to anudder one)

server ns0.uk.colt.net (now you are using a different DNS server)

filer3-b.indigo.ie

192.168.1.1

So it HAS propogated out of the Eircom Zone and is affecting innocents elsewhere. Whose fauult would that be

M

SkepticOne

cgi web interface to nslookup client:
http://www.infobear.com/nslookup.shtml

So what are the consequences of this?

If I try to ping filer3-b.indigo.ie I get a hanging connection, naturally enough since it is a non routable address.

If a company has the 192.168.1.1 on its local network, then presumably pinging filer3-b.indigo.ie will ping the local machine with that address.

Do I have this right? Are there consequences beyond this?

spongebob

Or a browser script could be used to probe the inside of a router on that IP , basically its a Global security hole sponsored by Eircom and not Bill.

M

SkepticOne

Originally posted by Muck
Or a browser script could be used to probe the inside of a router on that IP , basically its a Global security hole sponsored by Eircom and not Bill.

I see. I guess using a name rather than the 192.168.1.1 address directly would make the exploit less obvious.

iano

As Mr Shakespear might have said: "Much ado about nothing". I can't see how this is going to make my system any less secure.

However, it is a bit dodgy on the part of Eircom.net that, even after it has been pointed out publicly, they are giving out apparently sensitive information about the architecture of their internal network.

For example,
2.5.168.192.in-addr.arpa name = billing-b.indigo.ie
4.1.168.192.in-addr.arpa name = relay03-b.indigo.ie
254.5.168.192.in-addr.arpa name = billing-sw.indigo.ie

etc.

I only tested a couple of addresses, but would you be surprised to find hr.indigo.ie or customerdetails.indigo.ie listed?

Makes ya wonder ...