RE: Bogon IPs traffic only seen by netflow, confined within a VLAN only

This might be good advice in a similar context, but addresses with
a "0" first octet are "local broadcast" addresses. Packets with this
as a destination will be broadcast throughout the segment, and typically
accepted and received by the host(s) whose remaining three octets match.
(I had a recent incident here where Ettercap, or some similar tool, was
trying to rely on this to forward intercepted packets to their original
destination. Unfortunately, that was more broadcast traffic than that
VLAN could support....)

In this case, the poster was seeing them as (spoofed?) source addresses.
Hmmm. I wonder if that could have been intended to provoke a broadcast
storm of replies?

In any case, trying to actually use such a beast as a configured address
seems like a Really Bad Idea.

David Gillett


-----Original Message-----
From: tsteeves@xxxxxxx [mailto:tsteeves@xxxxxxx]
Sent: Wednesday, April 12, 2006 11:12 AM
To: incidents@xxxxxxxxxxxxxxxxx
Subject: Re: Bogon IPs traffic only seen by netflow, confined
within a VLAN only

Take an IP from the source host network and add it as a
secondary IP on the routed interface for the vlan - for the
0.10.94.27 host add "ip address 0.10.94.254 secondary" to the
router. Then do a broadcast ping from the router - ping
0.10.94.255. Then show the arp cache for the vlan - show ip
arp vlan xxx | include 0.10.94. - Do you see any entries
besides the router interface? If no, you probably have a
misconfigured/buggy device on the network. If there are
entries, you will be provided with MAC addresses which you
can track down easily to the switchport in question. I use
this technique to track down rougue DHCP servers, Access Points etc.


Relevant Pages

  • Re: Problem related with Subnetting
    ... Can a host in 10.0.0.X talk with a host in ... router or gateway machine. ... The way that machines locate each other is that they send out broadcast ... ARP packets asking for information on the destination IP. ...
    (comp.os.linux.networking)
  • Re: Problem related with Subnetting
    ... Can a host in 10.0.0.X talk with a host in ... router or gateway machine. ... The way that machines locate each other is that they send out broadcast ... ARP packets asking for information on the destination IP. ...
    (comp.unix.programmer)
  • RE: Different terms for the same or more secure?
    ... passed if configured to do so as unicast to another broadcast domain. ... On a switch, each port is its own collision domain, unlike ... is more accurate to say a VLAN separates broadcast domains. ...
    (Security-Basics)
  • RE: Different terms for the same or more secure?
    ... passed if configured to do so as unicast to another broadcast domain. ... On a switch, each port is its own collision domain, unlike ... is more accurate to say a VLAN separates broadcast domains. ...
    (Security-Basics)
  • RE: Different terms for the same or more secure?
    ... Routers NEVER pass broadcast traffic (unless they are configured as a ... On a switch, each port is its own collision domain, unlike ... a broadcast does not traverse a router unless explicitly ... is more accurate to say a VLAN separates broadcast domains. ...
    (Security-Basics)