Security Incidents mailing list archives

Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only

From: lupe () lupe-christoph de (Lupe Christoph)
Date: Thu, 13 Apr 2006 09:02:08 +0200

On Wednesday, 2006-04-12 at 15:17:18 -0700, David Gillett wrote:

  This might be good advice in a similar context, but addresses with
a "0" first octet are "local broadcast" addresses.  Packets with this
as a destination will be broadcast throughout the segment, and typically 
accepted and received by the host(s) whose remaining three octets match.
(I had a recent incident here where Ettercap, or some similar tool, was 
trying to rely on this to forward intercepted packets to their original
destination.  Unfortunately, that was more broadcast traffic than that 
VLAN could support....)


RFC3330:
   0.0.0.0/8 - Addresses in this block refer to source hosts on "this"
   network.  Address 0.0.0.0/32 may be used as a source address for this
   host on this network; other addresses within 0.0.0.0/8 may be used to
   refer to specified hosts on this network [RFC1700, page 4].

RFC1700:
Special Addresses

There are five classes of IP addresses: Class A through Class E.  Of
these, Classes A, B, and C are used for unicast addresses, Class D is
used for multicast addresses, and Class E addresses are reserved for
future use.

With the advent of classless addressing [CIDR1, CIDR2], the
network-number part of an address may be of any length, and the whole
notion of address classes becomes less important.

There are certain special cases for IP addresses.  These special cases
can be concisely summarized using the earlier notation for an IP
address:

      IP-address ::=  { <Network-number>, <Host-number> }

         or

      IP-address ::=  { <Network-number>, <Subnet-number>,
                                                      <Host-number> }

if we also use the notation "-1" to mean the field contains all 1
bits.  Some common special cases are as follows:

      (a)   {0, 0}

         This host on this network.  Can only be used as a source
         address (see note later).

      (b)   {0, <Host-number>}

         Specified host on this network.  Can only be used as a
         source address.

I've never seen 0.x.y.z used for this, though. As a source or a
destination.

Lupe Christoph
-- 
| You know we're sitting on four million pounds of fuel, one nuclear     |
| weapon and a thing that has 270,000 moving parts built by the lowest   |
| bidder. Makes you feel good, doesn't it?                               |
| Rockhound in "Armageddon", 1998, about the Space Shuttle               |

Current thread:

Bogon IPs traffic only seen by netflow, confined within a VLAN only Stef (Apr 09)
- Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only Roland Dobbins (Apr 10)
- Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only Valdis . Kletnieks (Apr 10)
  - Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only Roland Dobbins (Apr 10)
- <Possible follow-ups>
- Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only Stef (Apr 10)
  - Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only Roland Dobbins (Apr 10)
    - Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only AJ Cochenour (Apr 11)
- Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only stcroix111 (Apr 10)
- Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only tsteeves (Apr 12)
  - RE: Bogon IPs traffic only seen by netflow, confined within a VLAN only David Gillett (Apr 12)
    - Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only Lupe Christoph (Apr 13)