% Abuse contact for '25.0.0.0 - 25.255.255.255' is 'hostmaster@mod.uk'In this case the connection appeared to come from dm5pr17cu002.internal.outlook.com which does indeed resolve to 25.173.128.134.. which would place it in the MoD's address range. Yes?
inetnum: 25.0.0.0 - 25.255.255.255
netname: UK-MOD-19850128
country: GB
org: ORG-DMoD1-RIPE
admin-c: MN1891-RIPE
tech-c: MN1891-RIPE
status: LEGACY
notify: hostmaster@mod.uk
mnt-by: UK-MOD-MNT
mnt-domains: UK-MOD-MNT
mnt-routes: UK-MOD-MNT
mnt-by: RIPE-NCC-LEGACY-MNT
created: 2005-08-23T10:27:23Z
last-modified: 2016-04-14T09:56:26Z
source: RIPE
organisation: ORG-DMoD1-RIPE
org-name: UK Ministry of Defence
org-type: LIR
address: Not Published
address: Not Published
address: Not Published
address: UNITED KINGDOM
phone: +44(0)3067700816
e-mail: mathew.newton643@mod.gov.uk
admin-c: MN1891-RIPE
abuse-c: MH12763-RIPE
mnt-ref: RIPE-NCC-HM-MNT
mnt-ref: UK-MOD-MNT
mnt-by: RIPE-NCC-HM-MNT
mnt-by: UK-MOD-MNT
created: 2004-04-17T12:18:23Z
last-modified: 2016-10-06T11:09:40Z
source: RIPE
person: Mathew Newton
address: ISS Design Directorate, Joint Forces Command
address: UK Ministry of Defence
phone: +44 (0)30 677 00816
e-mail: mathew.newton643@mod.gov.uk
abuse-mailbox: hostmaster@mod.uk
notify: mathew.newton643@mod.gov.uk
nic-hdl: MN1891-RIPE
created: 2005-03-18T10:42:04Z
last-modified: 2016-12-20T10:33:13Z
source: RIPE
mnt-by: UK-MOD-MNT
Well.. no, because the 25.0.0.0/8 range isn't routable. You can't send traffic to it from the Internet. But it isn't a "private" IP range, it is allocated to the MoD. But it does seem that some companies are taking advantage of this and are using 25.0.0.0/8 for internal networks (much the same as 10.0.0.0/8) when it isn't designed for that.
Of course you can make a DNS record point to anything, it doesn't mean that the server will resolve. A look at all the hosts in 25.173.0.0/16 reveals these apparently active servers:
blserver.net
www.blserver.net
blog.blserver.net
imap.blserver.net
mwhpr13cu002.internal.outlook.com
dm5pr17cu002.internal.outlook.com
25-173-116-219.1334762f6da5400c9f4cbba603d6c121.plex.direct
25-173-129-6.114b489248be4a2489583682ee5d5f3c.plex.direct
sql.engormix.com
has-on.info
In the case of the outlook.com servers the DNS has been misconfigured. What should resolve only PRIVATELY to an 25/8 address is resolving PUBLICALLY to an address in that range. Of course, the servers never respond.And note that this is just one /16, not the whole /8 (reverse DNS for the whole /8 is insane).
The upshot is that the MoD get a lot of abuse calls for bad things that people think originate from their network, but it isn't actually happening.
If you are going to use blocks like 25.0.0.0/8 for internal uses, I would suggest that you take great care not to expose the internal IPs to the outside world. I'm sure the poor people at the MoD would appreciate it.
1 comment:
You should tell that to the idiots at LogMeIn. Their Hamachi vpn service uses 25.0.0.0/8. (They moved from 5.0.0.0/8 in 2004 or something). I don't like it.
Post a Comment