[Nottingham] Weird Stuff

Graeme Fowler nottingham at mailman.lug.org.uk
Fri Sep 6 20:37:01 2002 

On Fri, 2002-09-06 at 19:08, Robert Davies wrote:
<snip>

Doh. I meant it was a server broadcasting to client! Anyway...

> What's going to happen when someone injects packets destination 
> 255.255.255.255 from source 255.255.255.255 into NTL's network on a variety 
> of ports likely to have hosts responding?

OK, so run nmap and spoof traffic from 255.255.255.255 to
255.255.255.255, hoping that we'll see some traffic come back:

[root@server /root]# nmap -sU -vv -P0 -S255.255.255.255 255.255.255.255
-e eth0 -p 67-68

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Initiating FIN,NULL, UDP, or Xmas stealth scan against 
(255.255.255.255)
The UDP or stealth FIN/NULL/XMAS scan took 12 seconds to scan 2 ports.
Interesting ports on  (255.255.255.255):
Port       State       Service
67/udp     open        bootps                  
68/udp     open        bootpc                  

Nmap run completed -- 1 IP address (1 host up) scanned in 12 seconds


Nice - we can quite clearly see the results there when scanning ports 67
& 68. The tcpdump made for interesting reading, too, but I'll not
publish that here (exercise for the reader, perchance? Note however, as
always, YMMV).

Scanning every single UDP port however:

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Initiating FIN,NULL, UDP, or Xmas stealth scan against 
(255.255.255.255)
Skipping host   (255.255.255.255) due to host timeout
Nmap run completed -- 1 IP address (1 host up) scanned in 75 seconds

Novel.

Still, looks like ARP poisoning would also be trivial on this network,
mainly due to the disgustingly noisy nature of the infrastructure. My
old DSL used to be so quiet (he said, wistfully)!!!

> Surely they have no business routing this traffic.

Why not? As long as it's not leaked outside their netblocks, it remains
private. Remember that regardless of opinion, you are a customer of NTL
and what they do with their network infrastructure is their business.

If you could ping that address from *outside*, I'd be worried...

At this point I'm off into deepest darkest XMAS land to see what I can
see. Hopefully NTL won't!

G