[OT-mask]

Gregory D Hough mr6re9-mI4xJ4qlgtBiLUuM0BA3LQ at public.gmane.org
Wed Feb 25 14:38:52 UTC 2004 

Thanks Ya'll, I can see I'll need to learn more about CIDR notation.

On 02/24/2004 07:39:22 AM, Madison Kelly wrote:
> As
> for the rest of your question, could ask for clarity? I seem to be  
> having trouble following the first part of your question.
> 
> Madison
>
There weren't a first part, merely a cloudy, bereaved intro (see tail).

Ian Goldberg wrote:
> A 255 is a perfectly valid address.

In this case I thought so, but wasn't absolutely sure.

James Knott wrote:
> Perhaps I'm missing something here, but how does your example relate  
> to your question?

<QUESTION_PARAPHRASE>
Bad guys often wear masks to hide their true identity. "I believe" the
same is true with badguysonline. So my question is when if ever should
there appear a 255 octet in a host address, and is it wise to do   
anything but DROP these?
</QUESTION_PARAPHRASE>

Assuming (as it were) that the example was a broadcast address (which  
it weren't), and I were to handle it with some form of REJECT (which I  
was hesitant to do myself); what could happen? --Ian explained:

[quote]
Right now, pinging this address works fine, and I don't get the  
multiple (DUP!) replies I would expect if it were a broadcast address  
[actually, I'd probably expect no reply at all, since broadcast pings  
are usually firewalled]. So I would bet that that network is a /20 or  
something

Robert Brockway wrote:
I think what Gregory is asking is could the address listed here be a
normal host or it is definitely a broadcast address.  As per Ian's  
answer, for any network larger than a /24 it is permissible to have  
host addresses with the last byte being 255 [1]. The highest address in  
the subnet will still be a broadcast address of course.

Thanks for the clarification Rob, I wish I had heard your talk on this  
subject.

OT banter follows...stop here if'n you have more important things to  
do.

"badguysonline" -- I cannot define it any other way. I only know what  
I'm seeing directed at my obviously misconfigured network is not nice.  
It's not abnormal when one chooses to use the internet, to have one's  
machine(s) probed and prodded like average cattle. I accept that as a  
WAN fact. As a farmer though, it is my duty to protect my herd, not  
only from rustlers but from themselves as well. A wise rancher removes  
the potentially dangerous horns from his beasts that they not injure  
each other. It is also prudent to have a secure perimeter to keep the  
beasts in good pasture as they graze and chew their cud (read browse,  
blog and eat cookies). Maybe a little squid in the rudiment would help.

What concerns me are not the random scans and probes for open ports  
running common services. I am worried about the coordinated  
"enumeration profiling"...for lack of a better term...directed at my  
address. I am not referring to any "afterglow" experienced for a short  
time after receiving a new dynamically assigned address. I am talking  
about specific traffic from a dozen or so creeps or perhaps one creep  
using a dozen or so IP's. I assume the creep(s) will not go away  
anytime soon, so I'm forced into doing more homework.

This list has been very helpful to me in the last few years, for that  
I'm eternally grateful...I'm quite sure with your help and a little  
more effort on my part, I can hold the bandanna's at bay. The challenge  
for me however, is demonstrating in no uncertain terms, the Linux  
specific parameters being used to keep any future discussions On-Topic!

Regards,
farmer6re9

--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list