I have a /24 network that is subnetted into a bunch of small chunks.
I have recently gone into each router on the network (mostly Cisco) in order to document how this network had been divided. Now looking at a ping sweep output from:
nmap -sP 192.168.1.*
I see that some but not all reserved "network" and "broadcast" IPs respond to pings. For example, the network 192.168.1.80/29 has the network of 192.168.1.80 and a broadcast of 192.168.1.87. On this particular subnet, both of these IPs give me a ping response from the external interface of the router (192.168.5.20).
Many of the other subnets behave in a similar manor. However others do not. Looking at the router configs, nothing really jumps out at me that looks like it would cause this behavior.
Does anyone know the reason for this behavior? Do I want those addresses to respond or not? Slightly unrelated: should I have reverse DNS entries for the network and broadcast IPs?
Answer
You do not want anything to respond to a ping of the network or broadcast addresses over the Internet. If that was allowed to happen your network could be used as part of a smurf attack.
Most host based firewall software these days block responses to ICMP for the network/broadcast addresses. Since there is very little actual value that can come from having icmp replies to broadcasts enabled.
The Linux kernel by default ignores these types of pings but that can be configured by changing the value of /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
.
As for your question about DNS. I don't know that there is much advantage one way or the other. It wouldn't hurt to add it, but there isn't really a good reason for it. Having a reverse lookup maybe helpful for someone outside of your network if they wanted to lookup who owned those addresses and they didn't know how do a proper lookup.
No comments:
Post a Comment