Bot activity?



  • Fresh install 2.3.5

    ARP table includes```
    node-1z5.pool-180-180.dynamic.totbb.net

    
    Showing on OPT1 interface 180.180.10.1

  • LAYER 8 Global Moderator

    That is just the PTR for that IP..  Do you own that IP block 180.180?

    inetnum:        180.180.0.0 - 180.180.255.255
    netname:        TOT-AS-AP
    descr:          TOT Public Company Limited
    descr:          Zone A, 6th Floor, Building 1
    descr:          Swicthing and Network Interconnection System Standard Sector
    descr:          TOT Public Company
    descr:          89/2 Moo 3 Chaengwatthana Road
    country:        TH

    Find that unlikely… So why would you have that address block on your opt1 interface?

    If your just going to use public IP space on your internal network, then yes your going to get all kind of weird stuff returned for the PTR of said address space since its public space.



  • Exactly, I did check this out prior to starting the question, and as well have seen unscrupulous activity from this block, hence the bot question.

    I asked in this manner considering an internal network resides on 180.180.10.1

    See where I'm going here?

    edit:
    Why is an internal network externally resolving, no matter the block?


  • LAYER 8 Global Moderator

    "I asked in this manner considering an internal network resides on 180.180.10.1"

    So you own 180.180.10?  And are using it on your own network??  If you own that space then you should be in charge of the PTR and can setup PTR for any IP you want.. If you do not own the space then you shouldn't be using it on your internal network.  You should be using rfc1918 space or public space you do own and can control the PTR of.

    The authoritative name server for that IP block is ns3.totbb.net

    ;AUTHORITY
    10.180.180.in-addr.arpa. 1799 IN SOA ns3.totbb.net.

    So yeah when looking up a PTR its going to end up asking them. Unless you have created your own reverse zone for that block so your clients end up asking a NS that states it authoritative for that network for PTR (reverse)..

    Again lets be clear if you do not actually OWN this netblock you shouldn't be using it internally.



  • Ok I'm learning.

    I have traditionally used 10.10 blocks internally, yet never noticed the ISP's modem network being arp'd as this is.

    And no I am affiliated in no way with the 180 block

    I simply do not understand why an internal block would cause this.


  • LAYER 8 Global Moderator

    it wouldn't 10.10 is rfc1918 space.. You would have to run your own reverse zones if you want 10/8 or 192.168/16 172.16/12 PTRs to work.

    You shouldn't be using public space on your own networks, unless you own then.  You can not just pick IPs out of thin Air and use them… Well you can technically ;)  But its bad juju to do it unless you actually own the space.

    There is more than enough address space in rfc1918, there is no reason to use non rfc1918 space in your network unless you actually own it.



  • Fair enough, you've given me a lot to chase after for information.

    The reasoning behind the 180.180 block is due to me obtaining an old AIX 4 server, workstations and thin clients which live in this block, thought Id'e give it it's own network.

    Thanks for the info, and the start of finding out why the arp table would show this connection.


  • LAYER 8 Global Moderator

    So you inherited these devices and they were using this this IP range?  Did they come from Thailand? ;)

    Yes it would be best to move them to rfc1918 space..  And then setup your own PTR records for them then your arp table will show the correct names for these devices.



  • Yes they are all on 180.180.180.0/ , which now that I understand a bit more , with your help explains a lot of what little I already knew about the company. Meaningless overall (infos on company) but helpful in understanding.

    Not in Thailand, however as stated above, adds a few lines where there where only dots. Concerning a better understanding of networking.

    Already set the OPT1 network back to 10.10 and working smitty to change the AIX IP

    Just playing here, I learn more by hands on.



  • LAYER 8 Global Moderator

    Well whoever set them up with that IP space was clueless ;)  Unless they were used by

    inetnum:        180.180.0.0 - 180.180.255.255
    netname:        TOT-AS-AP
    descr:          TOT Public Company Limited
    descr:          Zone A, 6th Floor, Building 1
    descr:          Swicthing and Network Interconnection System Standard Sector
    descr:          TOT Public Company
    descr:          89/2 Moo 3 Chaengwatthana Road
    country:        TH

    Here to help - so if you have questions.. Just ask..

    If you need help setting up PTRs - just let me know… But if you create host overrides in unbound on pfsense, or allow for static dhcp leases to be registered then it should happen automatic when you create the reservation.  Then your arp table should show correct for the names you give them.



  • Showing you a line, as I understand things, "the company" has servers - via third party response - "on an island" , which in this case could mean Thailand (by way of the cup and string communication method)

    From what I understand your explaining to me in my situation, could that make sense, network wise?

    I've got the reverse DNS things, I don't use them internally, at least never did, probably should. Then I would be getting into not having to remember IP's all the time, seems too easy lol


  • LAYER 8 Global Moderator

    Ah yeah if the servers were run/owned by that company, no matter where they might of been located even - then sure those old IPs make sense ;)

    You don't use dns internally? Wow??  That is just plain nuts…  Shoot even MS got on board with dns server back in the NT 3.51 Days.. mid 90's  So your over 20 years for sure...

    Good luck with IPv6 without using names ;) hehehe



  • @johnpoz:

    You don't use dns internally? Wow??  That is just plain nuts…  Shoot even MS got on board with dns server back in the NT 3.51 Days.. mid 90's  So your over 20 years for sure...

    Good luck with IPv6 without using names ;) hehehe

    Ha! True story. Just in my own playpen, never even thought of it. Go ahead shame me into it, lol


Log in to reply