ukclique > telecom.* > telecom.broadband

Paul Cummins (01.01.1970, 02:00)
In article <q49b6p$21qq$1>, richard
(Richard Tobin) wrote:

> What possible reason could they have for sending such a packet to
> *you*? Why would they think your external IP address was a route to
> an RFC1918 address?
> But yes, your router should discard such packets anyway.


Back in the day, BT internet did double-NATting. My "public" address was
behind private (172.x.x.x) routing, and my IP address couldn't be
accessed directly from the wider internet.

It looked very strange in traceroutes too.
Chris Green (04.02.2019, 16:54)
Is there any advantage to be gained security-wise in using a
'non-standard' private IP range in a NAT router. E.g. either
172.16.x.x or 10.x.x.x. I suspect not but I suppose there might be
some gain in the 'security by obscurity' direction.

.... any other advantages, except the obvious one of bigger sub-nets if
you happen to need them?
MissRiaElaine (04.02.2019, 17:13)
On 04/02/2019 14:54, Chris Green wrote:
> Is there any advantage to be gained security-wise in using a
> 'non-standard' private IP range in a NAT router. E.g. either
> 172.16.x.x or 10.x.x.x. I suspect not but I suppose there might be
> some gain in the 'security by obscurity' direction.
> .... any other advantages, except the obvious one of bigger sub-nets if
> you happen to need them?


I doubt there's any advantage one way or the other. When I was at work
using wireless to connect to CCTV recorders on our vehicle fleet, we
used the 10.x.x.x range, but I suspect the only reason was to get it out
of the way so people wouldn't think of looking there.
Woody (04.02.2019, 20:29)
On Mon 04/02/2019 15:13, MissRiaElaine wrote:
> On 04/02/2019 14:54, Chris Green wrote:
> I doubt there's any advantage one way or the other. When I was at work
> using wireless to connect to CCTV recorders on our vehicle fleet, we
> used the 10.x.x.x range, but I suspect the only reason was to get it out
> of the way so people wouldn't think of looking there.

10.x.x.x is nothing about putting the address out of the way. It is a
designated Class A address that is never used in the outside world -
only for internal networks. Being Class A it can provide a huge number
of networks and addresses behind a common NAT wall, many many times more
than using 192.168.x.x which is Class C.

The advantage of using 192.168.a.b where a is not 0, 1, or 2 is that you
can then put fixed addresses into your domestic system behind the NAT
wall so that DHCP is not used for non-visiting equipments. The main
advantage of such is using a fixed address for, say, a networked printed
which otherwise could get a different IP address every time it is
switched on depending which order of items being powered up.
Bob Latham (04.02.2019, 21:56)
In article <q3a09h$4ka$1>,
Woody <harrogate3> wrote:

> The advantage of using 192.168.a.b where a is not 0, 1, or 2 is
> that you can then put fixed addresses into your domestic system
> behind the NAT wall so that DHCP is not used for non-visiting
> equipments. The main advantage of such is using a fixed address
> for, say, a networked printed which otherwise could get a
> different IP address every time it is switched on depending which
> order of items being powered up.


I don't understand this at all.

A device can have a fixed IP address on your own Lan either by using
DHCP reservation on the router or by setting a static IP on the
device. It doesn't to my knowledge make any difference at all if the
value of 'a' is 0 or 56. The only difference is how unusual you wish
to be which *may* confuse a hacker a little.

Unless of course, you know something which I've never come across
before.

Please explain further.

Bob.
Bob Eager (04.02.2019, 22:26)
On Mon, 04 Feb 2019 19:56:51 +0000, Bob Latham wrote:

> In article <q3a09hka>,
> Woody <harrogate3> wrote:
> I don't understand this at all.
> A device can have a fixed IP address on your own Lan either by using
> DHCP reservation on the router or by setting a static IP on the device.
> It doesn't to my knowledge make any difference at all if the value of
> 'a' is 0 or 56. The only difference is how unusual you wish to be which
> *may* confuse a hacker a little.
> Unless of course, you know something which I've never come across
> before.


Exactly. The same argument (if it is an argument) would apply to the
other RFC 1918 ranges. Indeed, you could subnet those any way you wanted
since it's all under your own control.

The only thing one might have to be careful of is picking a different
address from that given to you under carrier grade NAT, which is probably
going to be an RFC 1918 address (it should, of course, be an RFC 6598
address, but probably isn't).
MissRiaElaine (04.02.2019, 22:36)
On 04/02/2019 18:29, Woody wrote:
> On Mon 04/02/2019 15:13, MissRiaElaine wrote:
> 10.x.x.x is nothing about putting the address out of the way.


My point was that address ranges other than the 192.168.x.x series are
relatively uncommon, so people would not think of looking there.
Bob Eager (04.02.2019, 22:41)
On Mon, 04 Feb 2019 20:36:56 +0000, MissRiaElaine wrote:

> On 04/02/2019 18:29, Woody wrote:
> My point was that address ranges other than the 192.168.x.x series are
> relatively uncommon, so people would not think of looking there.


That *might* be true of the 172.16.x.x range, but the 10.x.x.x range is
pretty well known. In any case, hackers are surely well informed anough
to try all three.
Nick Leverton (04.02.2019, 22:49)
In article <gbrm38FltjiU1>,
MissRiaElaine <thisaddressis> wrote:
>On 04/02/2019 18:29, Woody wrote:
>My point was that address ranges other than the 192.168.x.x series are
>relatively uncommon, so people would not think of looking there.


If people can even see into a private network, the owner has a serious
problem which can't be solved by messing with IP ranges.

Nick
Andy Burns (04.02.2019, 23:02)
Bob Eager wrote:

> In any case, hackers are surely well informed anough
> to try all three.


If they're on your network there's almost certainly a DHCP server
dishing them out the details, otherwise they'll use wireshark to see
what's in use ...
MissRiaElaine (04.02.2019, 23:16)
On 04/02/2019 20:49, Nick Leverton wrote:

> If people can even see into a private network, the owner has a serious
> problem which can't be solved by messing with IP ranges.


Not a lot you can do about that when you need to communicate wirelessly
with vehicles in the yard.
Woody (04.02.2019, 23:36)
On Mon 04/02/2019 19:56, Bob Latham wrote:
[..]
> Unless of course, you know something which I've never come across
> before.
> Please explain further.


Sorry Bob, I realised after I had posted it that I had made a mess of
what I was trying to say.
Two things anyone (with the knowledge) should do is to change the router
SSID as they often give away the make and thus the default
username/password (which you should also change) and secondly to change
the IP range. Whilst it won't stop the real nasty types it will slow
them down a bit. Anyway anyone who would want to crack a domestic system
must be bored stiff.

The other bit about the printer: when you set up a network printer in
Windoze it must have a fixed address. If it doesn't and relies upon DHCP
then it could have a different IP address every time the printer powers
up and Windows won't be able to find it if it has changed from the one
in the printer setup file. It is better to use a fixed address which
could of course be written into the printer config but then there is
always the risk of DHCP having already issued that address unless the
prefixed address is outside the DHCP window. I found it easier to enter
it into the reserved address table in the router - and if you are doing
it for one it makes sense to fix everything. At least you know what
address to enter into your browser if you want to talk to something.

Now someone will correct me no doubt?
Graham. (04.02.2019, 23:58)
>On 04/02/2019 20:49, Nick Leverton wrote:
>> If people can even see into a private network, the owner has a serious
>> problem which can't be solved by messing with IP ranges.

>Not a lot you can do about that when you need to communicate wirelessly
>with vehicles in the yard.


Then they've got the passphrase, or have cracked your WPAx encryption
Nick Leverton (04.02.2019, 23:59)
In article <gbrodpFmd33U1>,
MissRiaElaine <thisaddressis> wrote:
>On 04/02/2019 20:49, Nick Leverton wrote:
>> If people can even see into a private network, the owner has a serious
>> problem which can't be solved by messing with IP ranges.

>Not a lot you can do about that when you need to communicate wirelessly
>with vehicles in the yard.


There is loads you can do about it, starting with securing the Wifi ...

I have known a transport enterprise which put their operational equipment
on a public network, they were lucky they only got accidentally DOSsed a
few times before we discovered what they'd done.

Nick
MissRiaElaine (05.02.2019, 00:06)
On 04/02/2019 21:59, Nick Leverton wrote:
> In article <gbrodpFmd33U1>,
> MissRiaElaine <thisaddressis> wrote:
> There is loads you can do about it, starting with securing the Wifi ...
> I have known a transport enterprise which put their operational equipment
> on a public network, they were lucky they only got accidentally DOSsed a
> few times before we discovered what they'd done.


Oh it was well secured, with lots of expensive Cisco Enterprise kit. My
point was just that an IP range outside the usual 192.168.x.x range was
possibly less likely to be chanced upon.

Similar Threads