North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: [nsp] known networks for broadcast ping attacks

  • From: Jay R. Ashworth
  • Date: Wed Jul 30 17:14:46 1997

On Wed, Jul 30, 1997 at 04:06:02PM -0500, Jeffrey S. Curtis wrote:
> Jay R. Ashworth writes:
> }Ought IP stack implementations not to refuse to reply to ECHO_REQUEST
> }packets with destination address which are broadcast addresses?
> 
> Why? It's a useful tool.

Well... I guess so.

> }Ok, yes, I know that CIDR makes this harder, but knowing which nets
> }fall on non-octet boundaries is non-obvious, too, and this particular
> }attack wasn't trying...
> 
> It's not hard - a host knows its own subnet mask and therefore can
> calculate its broadcast address trivially (my IP address logical-AND
> my subnet mask, plus all ones in the zero-portion of the mask).

My point was that an outside attacker wouldn't be able to figure out
what your internal subnetting was, and therefore filtering other
broadcast addresses wasn't as important.

> }.255 is _always_ a broadcast address, no?
> 
> Wrong - consider what happens on nets whose subnet mask is less than
> 24 bits long (I have many such nets).  10.1.1.255 is a unicast host
> address if the mask is /23, or /22, or...

If you don't subnet, but do I not recall reading somewhere that octets
of .255 were deprecated in addresses if they were not intended to be
the broadcast address?

Cheers,
-- jra
-- 
Jay R. Ashworth                                                [email protected]
Member of the Technical Staff             Unsolicited Commercial Emailers Sued
The Suncoast Freenet      "People propose, science studies, technology
Tampa Bay, Florida          conforms."  -- Dr. Don Norman      +1 813 790 7592