This might be good advice in a similar context, but addresses with
a "0" first octet are "local broadcast" addresses. Packets with this
as a destination will be broadcast throughout the segment, and typically
accepted and received by the host(s) whose remaining three octets match.
(I had a recent incident here where Ettercap, or some similar tool, was
trying to rely on this to forward intercepted packets to their original
destination. Unfortunately, that was more broadcast traffic than that
VLAN could support....)
In this case, the poster was seeing them as (spoofed?) source addresses.
Hmmm. I wonder if that could have been intended to provoke a broadcast
storm of replies?
In any case, trying to actually use such a beast as a configured address
seems like a Really Bad Idea.
David Gillett
-----Original Message-----
From: tsteeves@uvic.ca [mailto:tsteeves@uvic.ca]
Sent: Wednesday, April 12, 2006 11:12 AM
To: incidents@securityfocus.com
Subject: Re: Bogon IPs traffic only seen by netflow, confined
within a VLAN only
Take an IP from the source host network and add it as a
secondary IP on the routed interface for the vlan - for the
0.10.94.27 host add "ip address 0.10.94.254 secondary" to the
router. Then do a broadcast ping from the router - ping
0.10.94.255. Then show the arp cache for the vlan - show ip
arp vlan xxx | include 0.10.94. - Do you see any entries
besides the router interface? If no, you probably have a
misconfigured/buggy device on the network. If there are
entries, you will be provided with MAC addresses which you
can track down easily to the switchport in question. I use
this technique to track down rougue DHCP servers, Access Points etc.
