[11484] in North American Network Operators' Group
Re: [nsp] known networks for broadcast ping attacks
daemon@ATHENA.MIT.EDU (Jeffrey S. Curtis)
Wed Jul 30 17:23:43 1997
Date: Wed, 30 Jul 1997 16:06:02 -0500
To: jordyn@bestweb.net, jra@scfn.thpl.lib.fl.us
Cc: amb@xara.net, cisco-nsp@cic.net, nanog@merit.edu
From: "Jeffrey S. Curtis" <curtis@anl.gov>
Jay R. Ashworth writes:
}Ought IP stack implementations not to refuse to reply to ECHO_REQUEST
}packets with destination address which are broadcast addresses?
Why? It's a useful tool.
}Ok, yes, I know that CIDR makes this harder, but knowing which nets
}fall on non-octet boundaries is non-obvious, too, and this particular
}attack wasn't trying...
It's not hard - a host knows its own subnet mask and therefore can
calculate its broadcast address trivially (my IP address logical-AND
my subnet mask, plus all ones in the zero-portion of the mask).
}.255 is _always_ a broadcast address, no?
Wrong - consider what happens on nets whose subnet mask is less than
24 bits long (I have many such nets). 10.1.1.255 is a unicast host
address if the mask is /23, or /22, or...
Jeff
--
Jeffrey S. Curtis | Internetwork Manager
Argonne National Laboratory | Email: curtis@anl.gov
9700 South Cass Avenue, ECT-221 | Voice: 630/252-1789
Argonne, IL 60439 | Fax: 630/252-9689
