[3320] in bugtraq
Re: Reachable addresses on the net (was SYN floods)
daemon@ATHENA.MIT.EDU (Jared Mauch)
Tue Sep 3 11:35:52 1996
Date: Tue, 3 Sep 1996 02:49:43 -0400
Reply-To: Jared Mauch <jared@wolverine.hq.cic.net>
From: Jared Mauch <jared@wolverine.hq.cic.net>
X-To: oxymoron@WASTE.ORG
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <Pine.LNX.3.93.960831180706.11491B-200000@waste.org> from Oliver
Xymoron at "Aug 31, 96 06:10:50 pm"
Well, all I have to say is that 127.0.0.0 is routed via your
lo device. :-)
This infromation is misleading.
Yes, lots of sites out there are reachable, and if you're
looking for a nonexistant host, get on a router that runs full
routing, and look at it's routing table, find a space that isn't routed
and you're there.
If you wanna find a host, find address space which is routed,
and start at the top or bottom of a /24, that's where most people number
their machines from.
- jared
Oliver Xymoron graced my mailbox with this long sought knowledge:
> The discussion of whether a random address was reachable (someone had
> claimed about half were) got me thinking.. what percentage of addresses
> are in fact reachable? Should be easy enough to find out - just write a
> little Perl script to ping random hosts.. a day and several full file and
> process tables, and about two hours of actual runtime later:
>
> ---
> ...
> +160.16.82.221 (151/31246= 0.4833%) 6597s 4.74pings/s
> +127.232.79.6 (152/31326= 0.4852%) 6614s 4.74pings/s
> +130.151.41.1 (153/31332= 0.4883%) 6615s 4.74pings/s
> +127.123.38.41 (154/31477= 0.4892%) 6646s 4.74pings/s
> +127.164.49.30 (155/31479= 0.4924%) 6646s 4.74pings/s
> +127.217.192.59 (156/31561= 0.4943%) 6664s 4.74pings/s
> +127.148.252.233 (157/31576= 0.4972%) 6667s 4.74pings/s
> +127.120.54.186 (158/31641= 0.4994%) 6680s 4.74pings/s
> +127.10.92.143 (159/31680= 0.5019%) 6689s 4.74pings/s
> +127.96.165.69 (160/32091= 0.4986%) 6775s 4.74pings/s
> +127.153.219.200 (161/32515= 0.4952%) 6864s 4.74pings/s
> +127.42.59.52 (162/32806= 0.4938%) 6925s 4.74pings/s
> +127.239.225.13 (163/32869= 0.4959%) 6938s 4.74pings/s
> +127.142.104.4 (164/33048= 0.4962%) 6976s 4.74pings/s
> +127.175.215.62 (165/33111= 0.4983%) 6989s 4.74pings/s
> +140.122.51.171 (166/33568= 0.4945%) 7085s 4.74pings/s
> +127.253.175.177 (167/33724= 0.4952%) 7118s 4.74pings/s
> +127.20.8.231 (168/33978= 0.4944%) 7171s 4.74pings/s
> +127.190.255.36 (169/34368= 0.4917%) 7253s 4.74pings/s
> +127.119.24.35 (170/35244= 0.4824%) 7437s 4.74pings/s
>
> Tried: 35519 Reached: 170 ( 0.4786%)
> Runtime: 7495 s at 4.74 pings/s
> Probable reachable sites on the net: 20556446
> ---
>
> The program forks 50 times (giving a load average of about 0.1 on my
> machine), and the parent sends a random address to each child to try.
> When the child pings or times out after 10 seconds, it returns a message
> to the parent which tabulates it and sends a new address to try. It makes
> some small effort to keep outgoing pings from piling up on each other as
> well. Gave me an excuse to try out pipes, select, and signal handling in
> Perl..
>
> As you can see, the address space is still quite sparse (less than 1 out
> of every 200 addresses is reachable in my test), with most being inside
> the 127 net. At least for the purpose of SYN flooding, the assumption
> that a random address is unreachable is probably safe and probably quite
> useful. Any local protection has to bear this in mind, and perhaps keep a
> cache of known good addresses handy.
>
> [program code nuked]
