Bizarre question

Sieravor · Nov 6, 2007

Ok, I'm not new to networking or security or anything, but I've encountered something weird. I don't want to really get into details because talking about hacking is against TOS, but can anyone think of a reason why I would be able to see an entire ISP's internal network?

Anyway, what I'm asking is, can anyone out there think of any reason why I'd be allowed access, without hacking or anything weird, to an entire reserved ip range on an ISP's network?

I'm not interested in actually doing anything about it, I just want to know what's up, as the ISP is stonewalling.

Mods, if this is inappropriate, just let me know.

Xipher · Nov 7, 2007

You are lacking any explanation here, as to what you mean by access to their reserved range?

Jay_2 · Nov 7, 2007

if you can see the servers in your my network places then they are broadcasting netbios names. This is a little bit stupid and means their core network is setup wrong.

Sieravor · Nov 7, 2007

Xipher said:
You are lacking any explanation here, as to what you mean by access to their reserved range?

I can see their not by the servers' public IP addresses, but by their 10.x.x.x address. This includes, but is not limited to, their customers cable modems and routers. As in, instead of seeing blahblah.router.blahblah.com for their router, I see no FQDN, merely 10.x.x.x, along with the ability to connect and auth with telnet/ssh/http as if I were a part of their trusted network.

I'm trying to be as vague as possible so as not to expose too much of their issue.....just curious if anyone else has noticed something like this in the past with a non mom and pops ISP.

Jay_2 · Nov 7, 2007

nope.

This is a core network issue. Some one has made a nasty mistake and it could be all the way down to how your areas exchange connects to the datacenter. It won't be just you that will see it like this.

Sniper|3d-R| · Nov 7, 2007

screenshot?

Jay_2 · Nov 7, 2007

hold on... if you are part of their trusted Vlan you will have MASSIVE bandwith.

RoBo · Nov 7, 2007

Jay_oasis said:
hold on... if you are part of their trusted Vlan you will have MASSIVE bandwith.

He must begin torrenting at once.

leSLIe · Nov 7, 2007

RoBo said:
He must begin torrenting at once.

indeed !

Atech · Nov 7, 2007

Jay_oasis said:
nope.

This is a core network issue. Some one has made a nasty mistake and it could be all the way down to how your areas exchange connects to the datacenter. It won't be just you that will see it like this.

Sounds like a DSLAM with a bad config.

Sieravor · Nov 7, 2007

Unforunately I'm still capped when it comes to bandwidth since my interface hardware is still working normally.

I'm still waiting for a phone call from the ISP security team. Four days and still no fixes. It's times like this that I wish I was willing to explore the network on a more intimate level. I bet there's all sorts of fun stuff out there just waiting to be examined, vastly scalable bandwidth included.

Fint · Nov 7, 2007

Atech said:
Sounds like a DSLAM with a bad config.

DSLAMs are OSI Layer 2, but "seeing" PCs on the network is a Layer 3/4 issue.

Jay_2 · Nov 7, 2007

I think this is a switch config error all the way back at the datacenter.

Jon855 · Nov 7, 2007

Sieravor said:
]
I'm still waiting for a phone call from the ISP security team.

Don't wait for them to call, make noise and send them such evidence of said problems and raise the volume a whole lot more... As it is your information that may be out there as well...

Any chance you could mention the ISP themselves so that we could know who to watch out for if anyone else around here are under the same ISP and whatnot.

Raise the volume to 11...

Sieravor · Nov 7, 2007

Jon855 said:
Don't wait for them to call, make noise and send them such evidence of said problems and raise the volume a whole lot more... As it is your information that may be out there as well...

Any chance you could mention the ISP themselves so that we could know who to watch out for if anyone else around here are under the same ISP and whatnot.

Raise the volume to 11...

Actually I contacted them shortly after I realized what was happening. I made sure that they made some notes on my account that I reported the problem and didn't intend to do anything malicious.

As for the ISP, it wouldn't hurt anything to give out that info. Roadrunner, Brighthouse, Time warner, what ever you want to call it.

Now, I'm still not sure exactly what is going on with all of this, so if someone out there is willing to risk delving deeper than I, let me know what you find. I stopped as soon as I realized that this was a possible risk factor. here's a quick rundown of the conversation I had with the techs.

Hello, thank you for calling roadrunner technical support. My name is Bill, how can I help you?

Hi Bill, my name is Tim. Im just calling to report some strange behavior on your network. It seems that I am able to see some of your internal IP address, as in I can access your entire class A subnet as if it were public.

Oh.hold on a minute I have to make a call.

I am put on hold for about 20 minutes. Eventually Bill returns, his voice has a slight edge of concern to it.

Can you give me some more information about this? What addresses are you seeing? What do you think is allowing you to do this?

Well, any IP address on the roadrunner network that starts with 10 is visible to me. There dont seem to be any restrictive measures in place or anything, Bill. As for how this is happening, Im not sure.

Ok, do you see any other private IP addresses, anything like 192?

Doesnt seem like it, Bill, but I havent really looked either.

How are you seeing these IP addresses? Are you using a packet sniffer or something?

At this point I realize that he is very concerned and is fishing for some information. I tell the truth, as I dont want to go to jail for terrorism or some other equally retarded reason (hooray for abusive and unconstitutional laws).

Im just using nmap to scan the subnet. No packet sniffers or anything. So, yeah, Im actually very concerned about this. If I can see these internal IP addresses, it means I can sniff traffic off the network as well, Bill. I dont like that. If I found this by mistake, someone out there will certainly find it as well. I mean, if I were malicious I could some serious damage. Alot of these devices have default admin logins as well.

..really? <nervous chuckle> Well.hold on a minute, I have to make a call.

I wait again, this time for only a couple minutes.

Alright, the security specialists say this is normal for the network. Since youre a part of the network you should be able to see the other machines, so its ok. Youre on a business account and since you have a static IP you are able to see some things that most of our customers cannot. Ill make some notes on your account so that its clear that you mentioned this to us and were concerned. You might get a call from the Roadrunner security department sometime in the future. Is there anything else?

The conversation ended with the standard scripted close and I hung up the phone.

As a side note, it has nothing to do with business or residential accounts as I can access the network equally as well from either.

I'm actually half hoping that this is just some weird and massive honeynet or something, because the thought of it being anything that is actually functional is beyond retarded.

Bizarre question

Sieravor

Gawd

Xipher

2[H]4U

Jay_2

2[H]4U

Sieravor

Gawd

Jay_2

2[H]4U

Sniper|3d-R|

Supreme [H]ardness

Jay_2

2[H]4U

RoBo

2[H]4U

leSLIe

Fisting is Too Mainstream for Me

Atech

2[H]4U

Sieravor

Gawd

Fint

[H]ard|Gawd

Jay_2

2[H]4U

Jon855

[H]ard DCOTM January 2008

Sieravor

Gawd