Re: [nsp] known networks for broadcast ping attacks

["Jay R. Ashworth" <jra () scfn thpl lib fl us>]

On Wed, Jul 30, 1997 at 04:06:02PM -0500, Jeffrey S. Curtis wrote:
> Jay R. Ashworth writes:
> }Ought IP stack implementations not to refuse to reply to ECHO_REQUEST
> }packets with destination address which are broadcast addresses?
>
> Why? It's a useful tool.

Well... I guess so.

> }Ok, yes, I know that CIDR makes this harder, but knowing which nets
> }fall on non-octet boundaries is non-obvious, too, and this particular
> }attack wasn't trying...
>
> It's not hard - a host knows its own subnet mask and therefore can
> calculate its broadcast address trivially (my IP address logical-AND
> my subnet mask, plus all ones in the zero-portion of the mask).

My point was that an outside attacker wouldn't be able to figure out
what your internal subnetting was, and therefore filtering other
broadcast addresses wasn't as important.

> }.255 is _always_ a broadcast address, no?
>
> Wrong - consider what happens on nets whose subnet mask is less than
> 24 bits long (I have many such nets).  10.1.1.255 is a unicast host
> address if the mask is /23, or /22, or...

If you don't subnet, but do I not recall reading somewhere that octets
of .255 were deprecated in addresses if they were not intended to be
the broadcast address?

Cheers,
-- jra
-- 
Jay R. Ashworth                                                jra () baylink com
Member of the Technical Staff             Unsolicited Commercial Emailers Sued
The Suncoast Freenet      "People propose, science studies, technology
Tampa Bay, Florida          conforms."  -- Dr. Don Norman      +1 813 790 7592