4

I have a /24 network that is subnetted into a bunch of small chunks. I have recently gone into each router on the network (mostly Cisco) in order to document how this network had been divided. Now looking at a ping sweep output from:

nmap -sP 192.168.1.*

I see that some but not all reserved "network" and "broadcast" IPs respond to pings. For example, the network 192.168.1.80/29 has the network of 192.168.1.80 and a broadcast of 192.168.1.87. On this particular subnet, both of these IPs give me a ping response from the external interface of the router (192.168.5.20).

Many of the other subnets behave in a similar manor. However others do not. Looking at the router configs, nothing really jumps out at me that looks like it would cause this behavior.

Does anyone know the reason for this behavior? Do I want those addresses to respond or not? Slightly unrelated: should I have reverse DNS entries for the network and broadcast IPs?

Improve this question

4 Answers 4

Reset to default
9

You do not want anything to respond to a ping of the network or broadcast addresses over the Internet. If that was allowed to happen your network could be used as part of a smurf attack.

Most host based firewall software these days block responses to ICMP for the network/broadcast addresses. Since there is very little actual value that can come from having icmp replies to broadcasts enabled.

The Linux kernel by default ignores these types of pings but that can be configured by changing the value of /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts.

As for your question about DNS. I don't know that there is much advantage one way or the other. It wouldn't hurt to add it, but there isn't really a good reason for it. Having a reverse lookup maybe helpful for someone outside of your network if they wanted to lookup who owned those addresses and they didn't know how do a proper lookup.

Improve this answer
2
  • +1 - Allowing directed broadcasts is a bad idea. re: the reverse DNS entries the OP asked about - I've never heard of anyone creating reverse DNS entries for the network or broadcast addresses.
    – Evan Anderson
    Commented Jul 28, 2010 at 21:17
  • +1 - never leave ICMP up for anything other than testing or troubleshooting reasons.
    – Chopper3
    Commented Jul 28, 2010 at 21:23
1

For the Cisco routers try adding this to each interface

No IP Directed-Broadcast

I think it is the default, but you could try it and see.

As far as other devices, it will be OS specific.

Improve this answer
0
0

Some devices will respond to pings to the network broadcast address, depending on what operating system they're running. I have a Watchguard firewall and an Avocent ipkvm unit that will both repond to pings to the network broadcast address.

I don't believe that Windows hosts will respond to these pings though.

Improve this answer
0

Was wondering why some behaved differently then others, and here's why:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml#ios

Current versions of Cisco IOS software have this functionality disabled by default; however, it can be enabled via the ip directed-broadcast interface configuration command. Releases of Cisco IOS software prior to 12.0 have this functionality enabled by default.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .