Potential IP Attack?

Guests viewing attachments is not uncommon and is not indicative of a hack attempt.

What attachment problems are you having? Any specific errors?

Jake,

The issue isn't the guests. It's that their IP's don't resolve.

Also, at the same time these IPs show up, Album pics do do not display at all and attachment pics show as just the file name. When you click on the attachment file name, it jumps to a login screen even though you are already logged in.

Finally, these IPs are constantly viewing attachments for minutes at a time. Or maybe constantly opening and closing the attachments. The same IPs appear multiple times.

Thanks,

Dan.

Can't explain what you are seeing but I can tell you about the IP addresses you mention:You can have an IP that will not resolve simply by there being no reverse DNS entry for said IP address. To my knowledge there is no requirement for an address to have a reverse DNS entry, so you cannot rely on this information being available. A better check is to look up the net block owner (who owns the IP address).However, those particular address don't resolve to DNS addresses because no one person owns them. They are part of a special address block reserved for private networks. See RFC 1918.

If those addresses are not part of a private network to which your forum's server is attached, then something is amiss because traffic from or to those addresses would normally be dropped by the first public internet router it reached. For that reason you wouldn't normally see such addresses on a standalone public server. I think all the firewall configurations I've seen drop external traffic purporting to come from one of the private address ranges.

It is possible they are local users though, if such users exist, or if you have connections coming through a proxy of some sort on the local network. In that case your server would probably have at least one private address on a similar subnet, and possibly only private addresses. At this point, though, there are so many possible configurations I'm just going to be guessing, which doesn't help you.

They also might be router addresses on your system, and may indicate a problem in NAT operation on your local routers.

See:

Verifying NAT Operation and Basic NAT Troubleshooting



I'm no router expert, but this is one of the references I found by "googling" the IP number.

Regards,

Thanks for the help. We made some system changes and implemented some better security there. I think the problem has been resolved

Thanks!

Dan.

An IP is what will always exist, it is a name server entry to resolve a host to an ip, then it requires a reverse resolve to support an ip resolving back to a host too. The latter usually isn't done.

You can easily whois an ip address using tools from dnsstuff.com to find out the owner of the ip block and general area of where it comes from.

It is very common to find hosts browsing a site, they will usually resolve to an ip. It is also very common to find an IP browsing, that do not resolve back to a host.

Here's the results of a Whois search:

Your WHOIS Search Results
172.16.11.7

Record Type: IP Address

OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

NetRange: 172.16.0.0 - 172.31.255.255
CIDR: 172.16.0.0/12
NetName: IANA-BBLK-RESERVED
NetHandle: NET-172-16-0-0-1
Parent: NET-172-0-0-0-0
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: This block is reserved for special purposes.
Comment: Please see RFC 1918 for additional information.
Comment: http://www.arin.net/reference/rfc/rfc1918.txt
RegDate: 1994-03-15
Updated: 2007-11-27

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned Names and Number
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: [email protected]

OrgTechHandle: IANA-IP-ARIN
OrgTechName: Internet Corporation for Assigned Names and Number
OrgTechPhone: +1-310-301-5820
OrgTechEmail: [email protected]

Here's something of interest they have posted on their website:

Domains Numbers Protocols About IANA
Does it look like we're attacking you?
Some of the most common things we hear are "My network is under attack by IANA!" and "IANA is spamming me!" If you think this is the case, please take a few moments to read this page.

The Internet Assigned Numbers Authority, or IANA, is responsible for the global coordination of IP addresses. Most of the used numbers are allocated via a regional allocation system to your ISP, which then automatically assigns one or more to you.

There are, however, special sets of numbers that are designed not to be assigned to any particular person. Instead, they are general allocations that are either used in special ways, or designed for people to use internally within local networks.

These numbers are primarily in the following ranges:

Begins with 10. (i.e. 10.0.0.0 through to 10.255.255.255)
Begins with 127.
Begins with 169.254.
Begins with 172.16. through 172.31.
Begins with 192.168.

Shows up in your logs with a name like blackhole-1.iana.org
There are additional ranges of numbers that are also marked as “IANA Reserved” and similarly are not operated by IANA, although these are the most common ones we receive abuse reports concerning.

If you are seeing unexplained Internet traffic to your computer from these numbers, it is important to remember the following things:

The traffic does not come from IANA. As the authority for IP addresses, we have simply reserved these numbers in our databases, but we do not use or operate them, and we are not the source of the traffic.

As use of these numbers is untracked and unrestricted, we can not tell you who is using these numbers.

It is perfectly normal to see traffic from these numbers if you have a small home or office network. By default, most routers and access points uses these numbers to assign to your local computers. It is most likely these numbers represent computers on your own internal network.

If you see these numbers in the headers of an unsolicited email, they usually indicate transit between servers within a corporate network or ISP. They are not useful in identifying the origin of an email. In such cases you can usually find the true origin by looking for the earliest "Received" mail header that is not an IANA Reserved address.


Regards,

What if the IP is a class C IP, like 192.168.0.82? That can't be right, since it's an internal IP. Does this indicate IP spoofing? This IP is not in my scope.