Ascend Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (ASCEND) 127.0.0.[2-xxx]



On Sun, Dec 28, 1997 at 10:41:07PM +0100, Michiel Boland wrote:
> On Sun, 28 Dec 1997, Matt Holdrege wrote:
> 
> >      The reject (rj0) interface is always up. 
> > 
> >      The reject address is 127.0.0.2. Packets routed to this interface are
> > sent back to the source address with an ICMP "host unreachable" message.
> 
> When I ping the address 255.255.255.255 (from a cisco
> for instance), my max (5.0Ap5) responds with source address
> 127.0.0.2. Surely this is a bug?

THANKS. That explains it all:

1) Bad guys do a ping on our directed broadcast address
2) Our Cisco (when not equipped with "no ip directed-broadcast") rewrites
   this into a full broadcast (255.255.255.255) to the MAC broadcast
   (uuuh - that was unexpected, I thought it simply explodes into
   a MAC broadcast but stays a directed one on layer 3).
3) A hell of a lot answers flood back to the poor victim (I'm somewhat
   sure that the real victim was the address these replies went to, if
   'da GuYz did this in parallel with some other sites that still respond
   to broadcast pings the victim is really shot to death [they got 150 MB
   in some 10 mins only from us]).
4) I stumbled around the part of replies that got off 127.0.0.2 and feared
   a breakin on one of our machines or customer profiles or at one of our
   customers. Stats from Radacct and MRTG however didn't see any excess
   traffic. Now I know why -->
5) The supposed-to-be-cracked 127.0.0.2 source was the set of Maxen in
   our net. They replied to the ICMP with this source IP for whatever
   reason. This is of cause a bug, but on the other hand it saved us some
   bucks - traffic from 127.0.0.2 to somewhere in the Net doesn't match
   our IP-accounting slot at the upstream ISP ;)

Old bug ? I remember that more than a year ago Ascend boxes responded to
a directed broadcast not from their own address, but from the directed
broadcast address. Thought that was fixed, but not entirely as it seems -
it doesn't happen with the directed broadcast any longer, but with
255.255.255.255 it still does.

-- 

Kanther-Line: PGP SSH IDEA MD5 GOST RIPE-MD160 3DES RSA FEAL32 RC4

+-o-+--------------------------------------------------------+-o-+
| o |               \\\- Brain Inside -///                   | o |
| o |                   ^^^^^^^^^^^^^^                       | o |
| o | Andre' Beck (ABPSoft) beck@ibh-dd.de XLink PoP Dresden | o |
+-o-+--------------------------------------------------------+-o-+
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>


Follow-Ups: References: