Honeypots mailing list archives
Re: Excluding address ranges in arpd/honeyd
From: Valdis.Kletnieks () vt edu
Date: Sun, 13 Jun 2004 21:49:07 -0400
On Fri, 11 Jun 2004 14:07:26 CDT, Williams Jon <WilliamsJonathan () JohnDeere com> said:
So, now my IDS starts seeing something odd. It is getting packets sourced from 224.0.0.2, an IANA-reserved multicast address that is NEVER supposed to be the source of any packet, destined to the default router in my local subnet. Checking further, it appears that honeyd happily responded, just as configured, to the HSRP packets being sent to 224.0.0.2 with an ICMP port unreach, source by the multicast address! Now, the router guys tell me that this is a Bad Thing(TM).
Which is why good router guys bogon-filter this sort of stuff.. ;) http://www.cymru.com/Bogons/index.html says that a *source* address anywhere in 224.0.0.0/3 (yes, 3, not 8) are bogons. Just do the world a favor, and if you bogon-filter, make sure they're kept up to date. The people in the 69/8 range felt a lot of pain, and things didn't get much better for early adopters of 70/8....
Attachment:
_bin
Description:
Current thread:
- Excluding address ranges in arpd/honeyd Williams Jon (Jun 11)
- Re: Excluding address ranges in arpd/honeyd Valdis . Kletnieks (Jun 13)
- <Possible follow-ups>
- RE: Excluding address ranges in arpd/honeyd Williams Jon (Jun 14)