RE: Bogon IPs traffic only seen by netflow, confined within a VLAN only

["David Gillett" <gillettdavid () fhda edu>]

  This might be good advice in a similar context, but addresses with
a "0" first octet are "local broadcast" addresses.  Packets with this
as a destination will be broadcast throughout the segment, and typically 
accepted and received by the host(s) whose remaining three octets match.
(I had a recent incident here where Ettercap, or some similar tool, was 
trying to rely on this to forward intercepted packets to their original
destination.  Unfortunately, that was more broadcast traffic than that 
VLAN could support....)

  In this case, the poster was seeing them as (spoofed?) source addresses.
Hmmm.  I wonder if that could have been intended to provoke a broadcast
storm of replies?

  In any case, trying to actually use such a beast as a configured address
seems like a Really Bad Idea.

David Gillett


> -----Original Message-----
> From: tsteeves () uvic ca [mailto:tsteeves () uvic ca] 
> Sent: Wednesday, April 12, 2006 11:12 AM
> To: incidents () securityfocus com
> Subject: Re: Bogon IPs traffic only seen by netflow, confined 
> within a VLAN only
>
> Take an IP from the source host network and add it as a 
> secondary IP on the routed interface for the vlan - for the 
> 0.10.94.27 host add "ip address 0.10.94.254 secondary" to the 
> router. Then do a broadcast ping from the router - ping 
> 0.10.94.255. Then show the arp cache for the vlan - show ip 
> arp vlan xxx | include 0.10.94. - Do you see any entries 
> besides the router interface? If no, you probably have a 
> misconfigured/buggy device on the network. If  there are 
> entries, you will be provided with MAC addresses which you 
> can track down easily to the switchport in question. I use 
> this technique to track down rougue DHCP servers, Access Points etc.