Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Reachable addresses on the net (was SYN floods)
From: jared () wolverine hq cic net (Jared Mauch)
Date: Tue, 3 Sep 1996 02:49:43 -0400

        Well, all I have to say is that is routed via your
lo device. :-)

        This infromation is misleading.

        Yes, lots of sites out there are reachable, and if you're
looking for a nonexistant host, get on a router that runs full
routing, and look at it's routing table, find a space that isn't routed
and you're there.

        If you wanna find a host, find address space which is routed,
and start at the top or bottom of a /24, that's where most people number
their machines from.

        - jared

Oliver Xymoron graced my mailbox with this long sought knowledge:
The discussion of whether a random address was reachable (someone had
claimed about half were) got me thinking.. what percentage of addresses
are in fact reachable? Should be easy enough to find out - just write a
little Perl script to ping random hosts.. a day and several full file and
process tables, and about two hours of actual runtime later:

+ (151/31246= 0.4833%) 6597s 4.74pings/s
+ (152/31326= 0.4852%) 6614s 4.74pings/s
+ (153/31332= 0.4883%) 6615s 4.74pings/s
+ (154/31477= 0.4892%) 6646s 4.74pings/s
+ (155/31479= 0.4924%) 6646s 4.74pings/s
+ (156/31561= 0.4943%) 6664s 4.74pings/s
+ (157/31576= 0.4972%) 6667s 4.74pings/s
+ (158/31641= 0.4994%) 6680s 4.74pings/s
+ (159/31680= 0.5019%) 6689s 4.74pings/s
+ (160/32091= 0.4986%) 6775s 4.74pings/s
+ (161/32515= 0.4952%) 6864s 4.74pings/s
+ (162/32806= 0.4938%) 6925s 4.74pings/s
+ (163/32869= 0.4959%) 6938s 4.74pings/s
+ (164/33048= 0.4962%) 6976s 4.74pings/s
+ (165/33111= 0.4983%) 6989s 4.74pings/s
+ (166/33568= 0.4945%) 7085s 4.74pings/s
+ (167/33724= 0.4952%) 7118s 4.74pings/s
+ (168/33978= 0.4944%) 7171s 4.74pings/s
+ (169/34368= 0.4917%) 7253s 4.74pings/s
+ (170/35244= 0.4824%) 7437s 4.74pings/s

Tried: 35519 Reached: 170 ( 0.4786%)
Runtime: 7495 s at 4.74 pings/s
Probable reachable sites on the net: 20556446

The program forks 50 times (giving a load average of about 0.1 on my
machine), and the parent sends a random address to each child to try.
When the child pings or times out after 10 seconds, it returns a message
to the parent which tabulates it and sends a new address to try. It makes
some small effort to keep outgoing pings from piling up on each other as
well.  Gave me an excuse to try out pipes, select, and signal handling in

As you can see, the address space is still quite sparse (less than 1 out
of every 200 addresses is reachable in my test), with most being inside
the 127 net.  At least for the purpose of SYN flooding, the assumption
that a random address is unreachable is probably safe and probably quite
useful. Any local protection has to bear this in mind, and perhaps keep a
cache of known good addresses handy.

[program code nuked]

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]