Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only

from [Lupe Christoph] Network Security [Permanent Link]
Subject: Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only
Date: Thu, 13 Apr 2006 09:02:08 +0200 
On Wednesday, 2006-04-12 at 15:17:18 -0700, David Gillett wrote:

  This might be good advice in a similar context, but addresses with
a "0" first octet are "local broadcast" addresses.  Packets with this
as a destination will be broadcast throughout the segment, and typically 
accepted and received by the host(s) whose remaining three octets match.
(I had a recent incident here where Ettercap, or some similar tool, was 
trying to rely on this to forward intercepted packets to their original
destination.  Unfortunately, that was more broadcast traffic than that 
VLAN could support....)


RFC3330:
   0.0.0.0/8 - Addresses in this block refer to source hosts on "this"
   network.  Address 0.0.0.0/32 may be used as a source address for this
   host on this network; other addresses within 0.0.0.0/8 may be used to
   refer to specified hosts on this network [RFC1700, page 4].

RFC1700:
Special Addresses

There are five classes of IP addresses: Class A through Class E.  Of
these, Classes A, B, and C are used for unicast addresses, Class D is
used for multicast addresses, and Class E addresses are reserved for
future use.

With the advent of classless addressing [CIDR1, CIDR2], the
network-number part of an address may be of any length, and the whole
notion of address classes becomes less important.

There are certain special cases for IP addresses.  These special cases
can be concisely summarized using the earlier notation for an IP
address:

      IP-address ::=  { <Network-number>, <Host-number> }

         or

      IP-address ::=  { <Network-number>, <Subnet-number>,
                                                      <Host-number> }

if we also use the notation "-1" to mean the field contains all 1
bits.  Some common special cases are as follows:

      (a)   {0, 0}

         This host on this network.  Can only be used as a source
         address (see note later).

      (b)   {0, <Host-number>}

         Specified host on this network.  Can only be used as a
         source address.

I've never seen 0.x.y.z used for this, though. As a source or a
destination.

Lupe Christoph
-- 
| You know we're sitting on four million pounds of fuel, one nuclear     |
| weapon and a thing that has 270,000 moving parts built by the lowest   |
| bidder. Makes you feel good, doesn't it?                               |
| Rockhound in "Armageddon", 1998, about the Space Shuttle               |
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: How to determine which PHP-script allows spamming?, Rainer Duffner
Next by Date:  Re: How to determine which PHP-script allows spamming?, Kurt Seifried
Previous by Thread:  RE: Bogon IPs traffic only seen by netflow, confined within a VLAN only, David Gillett
Next by Thread:  RATs in our Honeypot, Mark Ryan del Moral Talabis
Indexes:  [Date] [Thread] [Top] [All Lists]