Hi,
I've been following some of the conversations about 192.168 networks,
and tried some experimentation, and came up with a few questions:
1. I've tried the technique mentioned to ping the broadcast address,
and then check arp -a (on Windows 2000 machines). This didn't seem to
work. For example, I pinged 192.168.100.255. This should add all
192.168.100.x IPs into my arp cache, right? But my cable modem didn't
show up in my arp cache after doing this. However, when I pinged my
cable modem directly (192.168.100.1), it did show up in my arp cache. I
tried this on a computer on the Internet (which I telneted to), with
similar results. (Is it because Microsoft recognizes 192.168.100.255 as
a valid IP?). When I do a traceroute to my cable modem (192.168.100.1),
it is a direct hop.
2. However, with the computer on the Internet I mentioned (which I am
telneting to), there were the following IPs: 192.168.1.0, 192.168.1.1,
192.168.1.2, 192.168.1.3, and 192.168.1.255 - which I found through
doing an nmap scan. (pinging 192.168.1.255 produced no results in the
arp table) Three are apparently Cisco routers (192.168.1.0 and
192.168.1.255 are both ping-able). When doing nmap, it shows
192.168.1.255 as remote, the others as local. However, when I do a
traceroute on these supposedly local ones, it shows a number of hops out
over the Internet, implying that they are not connected locally. Does
this make sense?
3. I recently checked my firewall (Network ICE), and noticed an attack
from this IP: 192.168.1.113. I tried to ping the attacking IP, but no
response. The attack details were these:
TCP OS Fingerprint, and then FTP Port Probe. Does this make any sense?
How can someone use a supposedly local IP (192.168) to attack me?
(Cable modem with 2 computers hooked up).
So can someone clarify these things? IE, why does it look like the only
way to really detect 192.168 devices on your network is to scan for them
- in other words, the pinging of the broadcast address doesn't work (or
am I pinging the wrong broadcast address?). Why do 192.168 devices,
which are supposed to be local, have a number of (internet) hops between
them when you ping them? And can anyone explain how someone could
attack me via my cable modem, with a source address of 192.168.1.113
(which I was unable to ping or otherwise detect)? In general, why don't
these 192.168 addresses show up in the routing table, netstat, etc.?
Thanks,
Jim
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
