> -----Original Message----- > From: Jim [mailto:[EMAIL PROTECTED] > Sent: July 7, 2003 17:27 > To: [EMAIL PROTECTED] > Subject: Questions about 192.168 > > Hi, > > I've been following some of the conversations about 192.168 networks, > and tried some experimentation, and came up with a few questions: > > 1. I've tried the technique mentioned to ping the broadcast address, > and then check arp -a (on Windows 2000 machines). This didn't seem to > work. For example, I pinged 192.168.100.255. This should add all > 192.168.100.x IPs into my arp cache, right? But my cable modem didn't > show up in my arp cache after doing this. However, when I pinged my > cable modem directly (192.168.100.1), it did show up in my arp cache. I > tried this on a computer on the Internet (which I telneted to), with > similar results. (Is it because Microsoft recognizes 192.168.100.255 as > a valid IP?). When I do a traceroute to my cable modem (192.168.100.1), > it is a direct hop.
I think it's an open question whether a device should respond to a ping (ICMP Echo Request) received as a broadcast. Writers of some TCP stacks have chosen to do so, others have not. > 2. However, with the computer on the Internet I mentioned (which I am > telneting to), there were the following IPs: 192.168.1.0, > 192.168.1.1, > 192.168.1.2, 192.168.1.3, and 192.168.1.255 - which I found through > doing an nmap scan. (pinging 192.168.1.255 produced no results in the > arp table) Three are apparently Cisco routers (192.168.1.0 and > 192.168.1.255 are both ping-able). When doing nmap, it shows > 192.168.1.255 as remote, the others as local. However, when I do a > traceroute on these supposedly local ones, it shows a number > of hops out > over the Internet, implying that they are not connected locally. Does > this make sense? If you traceroute to an address that is not on a locally-connected subnet, but your local gateway has a default route, the trace will follow that route. This process can repeat for multiple hops. > 3. I recently checked my firewall (Network ICE), and noticed > an attack > from this IP: 192.168.1.113. I tried to ping the attacking > IP, but no > response. The attack details were these: > TCP OS Fingerprint, and then FTP Port Probe. Does this make > any sense? > How can someone use a supposedly local IP (192.168) to attack me? > (Cable modem with 2 computers hooked up). By default, routing is based on *destination*. As long as the attack packets had your public address in their destination field, they could be delivered to you. But your trace back had this RFC1918 address as its destination. As above, this may propagate for several hops, but eventually you'll hit somebody who either explicitly recognizes it as a garbage destination, or simply doesn't have a default route and lets it fall on the floor. > So can someone clarify these things? IE, why does it look > like the only > way to really detect 192.168 devices on your network is to > scan for them > - in other words, the pinging of the broadcast address > doesn't work (or > am I pinging the wrong broadcast address?). Why do 192.168 devices, > which are supposed to be local, have a number of (internet) > hops between > them when you ping them? And can anyone explain how someone could > attack me via my cable modem, with a source address of 192.168.1.113 > (which I was unable to ping or otherwise detect)? In > general, why don't > these 192.168 addresses show up in the routing table, netstat, etc.? > > Thanks, > > Jim > > > -------------------------------------------------------------- > ------------- > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by > top analysts! > The Gartner Group just put Neoteris in the top of its Magic Quadrant, > while InStat has confirmed Neoteris as the leader in marketshare. > > Find out why, and see how you can get plug-n-play secure > remote access in > about an hour, with no client, server changes, or ongoing maintenance. > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm > -------------------------------------------------------------- > -------------- > --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
