Re: TCP Connections to a Broadcast Address

Ruslan Ermilov Sun, 24 Feb 2002 00:30:41 -0800

On Sat, Feb 23, 2002 at 07:25:20AM -0800, Crist J. Clark wrote:
> On Sat, Feb 23, 2002 at 02:45:35PM +0200, Ruslan Ermilov wrote:
> [snip]
> 
> > Router B: if0 (192.168.1.1/24) and if1 (192.168.4.1/24)
> > Router A: if0 (192.168.1.2/24)
> > 
> > On router A: route add -net 192.168.4 192.168.1.1, telnet 192.168.4.255.
> > 
> > Or even simpler:
> > 
> > Router: if0 (192.168.1.1/24 and 192.168.100.1/24)
> > Host: if0 (192.168.1.2, default gateway 192.168.1.1)
> 
> Did 192.168.4.1/24 just become 192.168.100.1/24?
> 
Yes, these were two different examples.


> > On host:
> > 
> > $ ping 192.168.100.255
> > PING 192.168.100.255 (192.168.100.255): 56 data bytes
> > 64 bytes from 192.168.100.1: icmp_seq=0 ttl=64 time=0.245 ms
> > 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.207 ms
> > 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.207 ms
> > ^C
> > --- 192.168.100.255 ping statistics ---
> > 3 packets transmitted, 3 packets received, 0% packet loss
> > round-trip min/avg/max/stddev = 0.207/0.220/0.245/0.018 ms
> > $ telnet 192.168.100.255 25
> > Trying 192.168.100.255...
> > Connected to 192.168.100.255.
> > Escape character is '^]'.
> > 220 my.router.local.net ESMTP Sendmail 8.11.6/8.11.2; Sat, 23 Feb 2002 14:39:21 
>+0200 (EET)
> 
> I can't reproduce this. I was only ever able to connect to the
> broadcast on the local interface.
> 
> On victim "router (192.168.64.50):"
> 
> $ netstat -rn -f inet
> Routing tables
> 
> Internet:
> Destination        Gateway            Flags    Refs      Use  Netif Expire
> default            192.168.64.254     UGSc       14     1768    dc0
> 127.0.0.1          127.0.0.1          UH          1   137708    lo0
> 172.16             link#3             UC          3        0    ep0
> 172.16.0.1         0:20:af:17:f:11    UHLW        0        2    lo0
> 192.168.64         link#1             UC          6        0    dc0
> 192.168.64.50      0:4:5a:40:d9:e5    UHLW       11  5310274    lo0
> 192.168.64.60      0:c0:f0:5a:6c:a    UHLW        4 11416791    dc0    514
> 
> On attacker "host (192.168.64.60):"
> 
> $ netstat -rn -f
> Routing tables
> 
> Internet:
> Destination        Gateway            Flags    Refs      Use  Netif Expire
> default            192.168.64.254     UGSc        1        0    dc0
> 127                127.0.0.1          UGSc        0        0    lo0
> 127.0.0.1          127.0.0.1          UH          1     1776    lo0
> 172.16             192.168.64.50      UGSc        1        4    dc0
> 192.168.64         link#1             UC          3        0    dc0
> 192.168.64.50      0:4:5a:40:d9:e5    UHLW        6  1318188    dc0   1003
> 
> Now on "host,"
> 
> $ ping 172.16.0.1
> PING 172.16.0.1 (172.16.0.1): 56 data bytes
> 64 bytes from 172.16.0.1: icmp_seq=0 ttl=64 time=0.518 ms
> 64 bytes from 172.16.0.1: icmp_seq=1 ttl=64 time=0.541 ms
> ^C
> --- 172.16.0.1 ping statistics ---
> 2 packets transmitted, 2 packets received, 0% packet loss
> round-trip min/avg/max/stddev = 0.518/0.530/0.541/0.011 ms
> 
> This works fine as expected with the weak-ES model. But for me,
> 
> $ ping 172.16.255.255
> PING 172.16.255.255 (172.16.255.255): 56 data bytes
> ^C
> --- 172.16.255.255 ping statistics ---
> 4 packets transmitted, 0 packets received, 100% packet loss
> $ telnet 172.16.255.255
> Trying 172.16.255.255...
> telnet: connect to address 172.16.255.255: Operation timed out
> telnet: Unable to connect to remote host
> 
> I can't reach the broadcast on the other interface. The "router" is
> FreeBSD 4.5-RELEASE without any patches.
> 
> I'm not sure what I might be doing wrong.
> 
> If you are correct, and you can cross interfaces, this is a much
> bigger problem. I didn't mention it in your first mail, but the
> in_broadcast() function as used in the patch you sent is different
> than the current implementation. in_broadacast() currently takes an
> address and an interface. If you are correct, we'd have to loop
> through the interface list... which makes this uglier.
> 
No, I can't cross interfaces, /* Check for broadcast addresses. */
in ip_input() doesn't allow this.  I'm talking about a different
scenario here, multiple IP networks per interface:

host# netstat -rn -finet | grep -w default
default            192.168.4.65       UGSc        4      387    rl0

gateway# ifconfig fxp0 inet
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 192.168.4.65 netmask 0xffffff00 broadcast 192.168.4.255
        inet 192.168.100.1 netmask 0xffffff00 broadcast 192.168.100.255

host# telnet 192.168.100.255 25
Trying 192.168.100.255...
Connected to 192.168.100.255.
Escape character is '^]'.


Cheers,
-- 
Ruslan Ermilov          Sysadmin and DBA,
[EMAIL PROTECTED]           Sunbay Software AG,
[EMAIL PROTECTED]          FreeBSD committer,
+380.652.512.251        Simferopol, Ukraine

http://www.FreeBSD.org  The Power To Serve
http://www.oracle.com   Enabling The Information Age

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

Re: TCP Connections to a Broadcast Address

Reply via email to