Sponsored by..

Monday 3 April 2017 is not your private network

A recent phishing email originating from an Office 365 caused some confusion.. apparently originating fom an address in the range which according to a WHOIS lookup is the UK's Ministry of Defence.

% Abuse contact for ' -' is 'hostmaster@mod.uk'

inetnum: -
netname:        UK-MOD-19850128
country:        GB
org:            ORG-DMoD1-RIPE
admin-c:        MN1891-RIPE
tech-c:         MN1891-RIPE
status:         LEGACY
notify:         hostmaster@mod.uk
mnt-by:         UK-MOD-MNT
mnt-domains:    UK-MOD-MNT
mnt-routes:     UK-MOD-MNT
mnt-by:         RIPE-NCC-LEGACY-MNT
created:        2005-08-23T10:27:23Z
last-modified:  2016-04-14T09:56:26Z
source:         RIPE

organisation:   ORG-DMoD1-RIPE
org-name:       UK Ministry of Defence
org-type:       LIR
address:        Not Published
address:        Not Published
address:        Not Published
address:        UNITED KINGDOM
phone:          +44(0)3067700816
e-mail:         mathew.newton643@mod.gov.uk
admin-c:        MN1891-RIPE
abuse-c:        MH12763-RIPE
mnt-ref:        RIPE-NCC-HM-MNT
mnt-ref:        UK-MOD-MNT
mnt-by:         RIPE-NCC-HM-MNT
mnt-by:         UK-MOD-MNT
created:        2004-04-17T12:18:23Z
last-modified:  2016-10-06T11:09:40Z
source:         RIPE

person:         Mathew Newton
address:        ISS Design Directorate, Joint Forces Command
address:        UK Ministry of Defence
phone:          +44 (0)30 677 00816
e-mail:         mathew.newton643@mod.gov.uk
abuse-mailbox:  hostmaster@mod.uk
notify:         mathew.newton643@mod.gov.uk
nic-hdl:        MN1891-RIPE
created:        2005-03-18T10:42:04Z
last-modified:  2016-12-20T10:33:13Z
source:         RIPE
mnt-by:         UK-MOD-MNT
In this case the connection appeared to come from dm5pr17cu002.internal.outlook.com which does indeed resolve to which would place it in the MoD's address range. Yes?

Well.. no, because the range isn't routable. You can't send traffic to it from the Internet. But it isn't a "private" IP range, it is allocated to the MoD. But it does seem that some companies are taking advantage of this and are using for internal networks (much the same as when it isn't designed for that.

Of course you can make a DNS record point to anything, it doesn't mean that the server will resolve. A look at all the hosts in reveals these apparently active servers:



In the case of the outlook.com servers the DNS has been misconfigured. What should resolve only PRIVATELY to an 25/8 address is resolving PUBLICALLY to an address in that range. Of course, the servers never respond.And note that this is just one /16, not the whole /8 (reverse DNS for the whole /8 is insane).

The upshot is that the MoD get a lot of abuse calls for bad things that people think originate from their network, but it isn't actually happening.

If you are going to use blocks like for internal uses, I would suggest that you take great care not to expose the internal IPs to the outside world. I'm sure the poor people at the MoD would appreciate it.

1 comment:

Unknown said...

You should tell that to the idiots at LogMeIn. Their Hamachi vpn service uses (They moved from in 2004 or something). I don't like it.