Re: [nsp] known networks for broadcast ping attacks
Jay R. Ashworth writes: }Ought IP stack implementations not to refuse to reply to ECHO_REQUEST }packets with destination address which are broadcast addresses? Why? It's a useful tool. }Ok, yes, I know that CIDR makes this harder, but knowing which nets }fall on non-octet boundaries is non-obvious, too, and this particular }attack wasn't trying... It's not hard - a host knows its own subnet mask and therefore can calculate its broadcast address trivially (my IP address logical-AND my subnet mask, plus all ones in the zero-portion of the mask). }.255 is _always_ a broadcast address, no? Wrong - consider what happens on nets whose subnet mask is less than 24 bits long (I have many such nets). 10.1.1.255 is a unicast host address if the mask is /23, or /22, or... Jeff -- Jeffrey S. Curtis | Internetwork Manager Argonne National Laboratory | Email: curtis@anl.gov 9700 South Cass Avenue, ECT-221 | Voice: 630/252-1789 Argonne, IL 60439 | Fax: 630/252-9689
On Wed, Jul 30, 1997 at 04:06:02PM -0500, Jeffrey S. Curtis wrote:
Jay R. Ashworth writes: }Ought IP stack implementations not to refuse to reply to ECHO_REQUEST }packets with destination address which are broadcast addresses?
Why? It's a useful tool.
Well... I guess so.
}Ok, yes, I know that CIDR makes this harder, but knowing which nets }fall on non-octet boundaries is non-obvious, too, and this particular }attack wasn't trying...
It's not hard - a host knows its own subnet mask and therefore can calculate its broadcast address trivially (my IP address logical-AND my subnet mask, plus all ones in the zero-portion of the mask).
My point was that an outside attacker wouldn't be able to figure out what your internal subnetting was, and therefore filtering other broadcast addresses wasn't as important.
}.255 is _always_ a broadcast address, no?
Wrong - consider what happens on nets whose subnet mask is less than 24 bits long (I have many such nets). 10.1.1.255 is a unicast host address if the mask is /23, or /22, or...
If you don't subnet, but do I not recall reading somewhere that octets of .255 were deprecated in addresses if they were not intended to be the broadcast address? Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Member of the Technical Staff Unsolicited Commercial Emailers Sued The Suncoast Freenet "People propose, science studies, technology Tampa Bay, Florida conforms." -- Dr. Don Norman +1 813 790 7592
participants (2)
-
Jay R. Ashworth
-
Jeffrey S. Curtis