Security Incidents mailing list archives
RE: Bogon IPs traffic only seen by netflow, confined within a VLAN only
From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 12 Apr 2006 15:17:18 -0700
This might be good advice in a similar context, but addresses with a "0" first octet are "local broadcast" addresses. Packets with this as a destination will be broadcast throughout the segment, and typically accepted and received by the host(s) whose remaining three octets match. (I had a recent incident here where Ettercap, or some similar tool, was trying to rely on this to forward intercepted packets to their original destination. Unfortunately, that was more broadcast traffic than that VLAN could support....) In this case, the poster was seeing them as (spoofed?) source addresses. Hmmm. I wonder if that could have been intended to provoke a broadcast storm of replies? In any case, trying to actually use such a beast as a configured address seems like a Really Bad Idea. David Gillett
-----Original Message----- From: tsteeves () uvic ca [mailto:tsteeves () uvic ca] Sent: Wednesday, April 12, 2006 11:12 AM To: incidents () securityfocus com Subject: Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only Take an IP from the source host network and add it as a secondary IP on the routed interface for the vlan - for the 0.10.94.27 host add "ip address 0.10.94.254 secondary" to the router. Then do a broadcast ping from the router - ping 0.10.94.255. Then show the arp cache for the vlan - show ip arp vlan xxx | include 0.10.94. - Do you see any entries besides the router interface? If no, you probably have a misconfigured/buggy device on the network. If there are entries, you will be provided with MAC addresses which you can track down easily to the switchport in question. I use this technique to track down rougue DHCP servers, Access Points etc.
Current thread:
- Bogon IPs traffic only seen by netflow, confined within a VLAN only Stef (Apr 09)
- Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only Roland Dobbins (Apr 10)
- Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only Valdis . Kletnieks (Apr 10)
- Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only Roland Dobbins (Apr 10)
- <Possible follow-ups>
- Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only Stef (Apr 10)
- Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only Roland Dobbins (Apr 10)
- Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only AJ Cochenour (Apr 11)
- Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only Roland Dobbins (Apr 10)
- Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only stcroix111 (Apr 10)
- Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only tsteeves (Apr 12)
- RE: Bogon IPs traffic only seen by netflow, confined within a VLAN only David Gillett (Apr 12)
- Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only Lupe Christoph (Apr 13)
- RE: Bogon IPs traffic only seen by netflow, confined within a VLAN only David Gillett (Apr 12)