mailing list archives
Re: [nsp] known networks for broadcast ping attacks
From: "Jeffrey S. Curtis" <curtis () anl gov>
Date: Wed, 30 Jul 1997 16:06:02 -0500
Jay R. Ashworth writes:
}Ought IP stack implementations not to refuse to reply to ECHO_REQUEST
}packets with destination address which are broadcast addresses?
Why? It's a useful tool.
}Ok, yes, I know that CIDR makes this harder, but knowing which nets
}fall on non-octet boundaries is non-obvious, too, and this particular
}attack wasn't trying...
It's not hard - a host knows its own subnet mask and therefore can
calculate its broadcast address trivially (my IP address logical-AND
my subnet mask, plus all ones in the zero-portion of the mask).
}.255 is _always_ a broadcast address, no?
Wrong - consider what happens on nets whose subnet mask is less than
24 bits long (I have many such nets). 10.1.1.255 is a unicast host
address if the mask is /23, or /22, or...
Jeffrey S. Curtis | Internetwork Manager
Argonne National Laboratory | Email: curtis () anl gov
9700 South Cass Avenue, ECT-221 | Voice: 630/252-1789
Argonne, IL 60439 | Fax: 630/252-9689