Sponsored by..

Monday, 3 April 2017

25.0.0.0/8 is not your private network

A recent phishing email originating from an Office 365 caused some confusion.. apparently originating fom an address in the 25.0.0.0.8 range which according to a WHOIS lookup is the UK's Ministry of Defence.

% Abuse contact for '25.0.0.0 - 25.255.255.255' is 'hostmaster@mod.uk'

inetnum:        25.0.0.0 - 25.255.255.255
netname:        UK-MOD-19850128
country:        GB
org:            ORG-DMoD1-RIPE
admin-c:        MN1891-RIPE
tech-c:         MN1891-RIPE
status:         LEGACY
notify:         hostmaster@mod.uk
mnt-by:         UK-MOD-MNT
mnt-domains:    UK-MOD-MNT
mnt-routes:     UK-MOD-MNT
mnt-by:         RIPE-NCC-LEGACY-MNT
created:        2005-08-23T10:27:23Z
last-modified:  2016-04-14T09:56:26Z
source:         RIPE

organisation:   ORG-DMoD1-RIPE
org-name:       UK Ministry of Defence
org-type:       LIR
address:        Not Published
address:        Not Published
address:        Not Published
address:        UNITED KINGDOM
phone:          +44(0)3067700816
e-mail:         mathew.newton643@mod.gov.uk
admin-c:        MN1891-RIPE
abuse-c:        MH12763-RIPE
mnt-ref:        RIPE-NCC-HM-MNT
mnt-ref:        UK-MOD-MNT
mnt-by:         RIPE-NCC-HM-MNT
mnt-by:         UK-MOD-MNT
created:        2004-04-17T12:18:23Z
last-modified:  2016-10-06T11:09:40Z
source:         RIPE

person:         Mathew Newton
address:        ISS Design Directorate, Joint Forces Command
address:        UK Ministry of Defence
phone:          +44 (0)30 677 00816
e-mail:         mathew.newton643@mod.gov.uk
abuse-mailbox:  hostmaster@mod.uk
notify:         mathew.newton643@mod.gov.uk
nic-hdl:        MN1891-RIPE
created:        2005-03-18T10:42:04Z
last-modified:  2016-12-20T10:33:13Z
source:         RIPE
mnt-by:         UK-MOD-MNT
In this case the connection appeared to come from dm5pr17cu002.internal.outlook.com which does indeed resolve to 25.173.128.134.. which would place it in the MoD's address range. Yes?

Well.. no, because the 25.0.0.0/8 range isn't routable. You can't send traffic to it from the Internet. But it isn't a "private" IP range, it is allocated to the MoD. But it does seem that some companies are taking advantage of this and are using 25.0.0.0/8 for internal networks (much the same as 10.0.0.0/8) when it isn't designed for that.

Of course you can make a DNS record point to anything, it doesn't mean that the server will resolve. A look at all the hosts in 25.173.0.0/16 reveals these apparently active servers:

blserver.net
www.blserver.net
blog.blserver.net
imap.blserver.net
mwhpr13cu002.internal.outlook.com
dm5pr17cu002.internal.outlook.com

25-173-116-219.1334762f6da5400c9f4cbba603d6c121.plex.direct
25-173-129-6.114b489248be4a2489583682ee5d5f3c.plex.direct
sql.engormix.com
has-on.info

In the case of the outlook.com servers the DNS has been misconfigured. What should resolve only PRIVATELY to an 25/8 address is resolving PUBLICALLY to an address in that range. Of course, the servers never respond.And note that this is just one /16, not the whole /8 (reverse DNS for the whole /8 is insane).

The upshot is that the MoD get a lot of abuse calls for bad things that people think originate from their network, but it isn't actually happening.

If you are going to use blocks like 25.0.0.0/8 for internal uses, I would suggest that you take great care not to expose the internal IPs to the outside world. I'm sure the poor people at the MoD would appreciate it.

1 comment:

Håkon Nessjøen said...

You should tell that to the idiots at LogMeIn. Their Hamachi vpn service uses 25.0.0.0/8. (They moved from 5.0.0.0/8 in 2004 or something). I don't like it.