RE: Excluding address ranges in arpd/honeyd

["Williams Jon" <WilliamsJonathan () JohnDeere com>]

Agreed, routers should filter out the bogons to prevent them from
crossing the network, however I also believe that honeyd probably
shouldn't be creating bogons in the first place.  If we all know that it
is a violation of RFCs, common sense, and propriety for software to
source packets from a multicast address, then it seems to me that honeyd
should "know" this, either built-in or via a bogon config file, and
never send out packets with source addresses in the bogon list.

Jon 

-----Original Message-----
From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] 
Sent: Sunday, June 13, 2004 8:49 PM
To: Williams Jon
Cc: honeypots () securityfocus com
Subject: Re: Excluding address ranges in arpd/honeyd

On Fri, 11 Jun 2004 14:07:26 CDT, Williams Jon
<WilliamsJonathan () JohnDeere com>  said:

> So, now my IDS starts seeing something odd.  It is getting packets 
> sourced from 224.0.0.2, an IANA-reserved multicast address that is 
> NEVER supposed to be the source of any packet, destined to the default

> router in my local subnet.  Checking further, it appears that honeyd 
> happily responded, just as configured, to the HSRP packets being sent 
> to
> 224.0.0.2 with an ICMP port unreach, source by the multicast address!
>
> Now, the router guys tell me that this is a Bad Thing(TM).

Which is why good router guys bogon-filter this sort of stuff.. ;)

http://www.cymru.com/Bogons/index.html  says that a *source* address
anywhere in 224.0.0.0/3 (yes, 3, not 8) are bogons.

Just do the world a favor, and if you bogon-filter, make sure they're
kept up to date.  The people in the 69/8 range felt a lot of pain, and
things didn't get much better for early adopters of 70/8....