Home page logo

nanog logo nanog mailing list archives

Re: [nsp] known networks for broadcast ping attacks
From: "Jay R. Ashworth" <jra () scfn thpl lib fl us>
Date: Wed, 30 Jul 1997 17:06:43 -0400

On Wed, Jul 30, 1997 at 04:06:02PM -0500, Jeffrey S. Curtis wrote:
Jay R. Ashworth writes:
}Ought IP stack implementations not to refuse to reply to ECHO_REQUEST
}packets with destination address which are broadcast addresses?

Why? It's a useful tool.

Well... I guess so.

}Ok, yes, I know that CIDR makes this harder, but knowing which nets
}fall on non-octet boundaries is non-obvious, too, and this particular
}attack wasn't trying...

It's not hard - a host knows its own subnet mask and therefore can
calculate its broadcast address trivially (my IP address logical-AND
my subnet mask, plus all ones in the zero-portion of the mask).

My point was that an outside attacker wouldn't be able to figure out
what your internal subnetting was, and therefore filtering other
broadcast addresses wasn't as important.

}.255 is _always_ a broadcast address, no?

Wrong - consider what happens on nets whose subnet mask is less than
24 bits long (I have many such nets). is a unicast host
address if the mask is /23, or /22, or...

If you don't subnet, but do I not recall reading somewhere that octets
of .255 were deprecated in addresses if they were not intended to be
the broadcast address?

-- jra
Jay R. Ashworth                                                jra () baylink com
Member of the Technical Staff             Unsolicited Commercial Emailers Sued
The Suncoast Freenet      "People propose, science studies, technology
Tampa Bay, Florida          conforms."  -- Dr. Don Norman      +1 813 790 7592

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]