On Mon, Jul 07, 2003 at 08:27:17PM -0400, Jim wrote:
> I've been following some of the conversations about 192.168 networks,
> and tried some experimentation, and came up with a few questions:
>
> 1. I've tried the technique mentioned to ping the broadcast address,
> and then check arp -a (on Windows 2000 machines). This didn't seem to
> work. For example, I pinged 192.168.100.255. This should add all
> 192.168.100.x IPs into my arp cache, right? But my cable modem didn't
No. There are a number of broadcast MAC addresses. When you send to
a broadcast IP address, one of these broadcast MAC addresses, without
any need for ARP.
Also, try to remember that one IP packet will not be sent multiple
times to multiple hosts using different MAC addresses. It gets sent
once. If its destined to more than one machine, it uses a MAC address
that makes that happen.
> show up in my arp cache after doing this. However, when I pinged my
> cable modem directly (192.168.100.1), it did show up in my arp cache. I
> tried this on a computer on the Internet (which I telneted to), with
In order for your computer to talk to another computer on the LAN, it
is supposed to use that computers destination MAC address. To find it
out, it issues an ARP request. If you telnet to a machine on the
internet, your computer sees that the requested address is not on your
LAN, and issues an ARP for the gateway you have specified (in some
manner).
If your cable modem is your gateway (which I'd guess it is), then it will
end up in the ARP table both times.
> 2. However, with the computer on the Internet I mentioned (which I am
> telneting to), there were the following IPs: 192.168.1.0, 192.168.1.1,
> 192.168.1.2, 192.168.1.3, and 192.168.1.255 - which I found through
> doing an nmap scan. (pinging 192.168.1.255 produced no results in the
> arp table) Three are apparently Cisco routers (192.168.1.0 and
> 192.168.1.255 are both ping-able). When doing nmap, it shows
> 192.168.1.255 as remote, the others as local. However, when I do a
> traceroute on these supposedly local ones, it shows a number of hops out
> over the Internet, implying that they are not connected locally. Does
> this make sense?
I am unfamiliar with nmap calling anything "local" or "remote". As
for the hop count... Folks on your network could be proxying ARP,
which would fool some tools (and rightly so) into thinking the
machines where on the same LAN. But rather than bridging, they are
routing. I have done this on a firewall before where I didn't want to
touch the router config. An ISP may do this for the reverse reason,
they can't touch your config.
> 3. I recently checked my firewall (Network ICE), and noticed an attack
> from this IP: 192.168.1.113. I tried to ping the attacking IP, but no
> response. The attack details were these:
> TCP OS Fingerprint, and then FTP Port Probe. Does this make any sense?
> How can someone use a supposedly local IP (192.168) to attack me?
> (Cable modem with 2 computers hooked up).
192.168.0.0/16 address are not routable on the public internet. Your
ISP may route some of the address space but not all.
Also the IP address was probably forged, and you were seeing this
traffic from elsewhere. It may have been a malfunctioning NAT box
with someone scanning behind it.
> am I pinging the wrong broadcast address?). Why do 192.168 devices,
> which are supposed to be local, have a number of (internet) hops
> between them when you ping them? And can anyone explain how someone
> could
Ok. First off, you need to get a networking book or to read the RFCs
again. RFC 1918 explains private IP address spaces well enough.
No one said private IP addresses were "local" by which I assume you
mean on one LAN only. They said they were not to be publicly
routable. Your machine is not on the Public Internet (from your point
of view), it is on your ISP's network. Your ISP *can* route private
IPs to and from you, as they do so on their private network.
> (which I was unable to ping or otherwise detect)? In general, why
> don't these 192.168 addresses show up in the routing table, netstat,
> etc.?
I would hope that, your machine being an end station, doesn't have
much in its routing table. It should likely only have one default
route. Everything that isn't on your LAN gets sent to that route. No
fuss no muss.
PS Try not to get too excited and probe and scan your ISP and
fellow ISP clients. You were annoyed when someone did the
same to you, so please try and appricate that they will be
annoyed you are doing that to them.
-----------------------------------------------------------------------
__o Bradley Arlt Security Team Lead
_ \<_ [EMAIL PROTECTED] University Of Calgary
(_)/(_) T minus 2.9 weeks to Peru Computer Science
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
