Friday, 12 October 2012

Broadcast ping for host discovery

I saw a question posted on an exchange website today that took me back a few years.  Often, people assume that broadcast ping can be used for host discovery on a network.  But these days, broadcast ICMP requests are dropped silently to avoid stimulating springboard style DoS attacks.  This is essentially where you ping a number of hosts, as many as possible across a multitude of subnets, but have all the responses returned to the machine you want to attack.  This overloads the machine's network interface with ICMP traffic, obstructing real network traffic.  It also poses as a threat to ADSL connections, when you consider that most people have caps on their broadband.  It would be quite easy to render someone's internet connection useless through this attack mechanism.  For this reason, the default response for any machine, is to not respond to broadcast ICMP requests.  Most routers also filter these out, to prevent ICMP broadcast packets spreading across different subnets.

Anyway, host discovery can actually be obtained through a much simpler mechanism, given that you can ping specific hosts for a reply; again, providing that those hosts reply to ICMP requests.  The solution is to ping each possible permutation of addresses on a given subnet, looking for a response from any of them.  This sounds like a really heavyweight process, but it's actually very easy and very fast.  The following command demonstrates this, which can be incorporated into a script if you wish (brackets are important).

$ time ( s=192.168.0 ; for i in $(seq 1 254) ; do ( ping -n -c 1 -w 1 $s.$i 1>/dev/null 2>&1 && printf "%-16s %s\n" $s.$i responded ) & done ; wait ; echo )      responded     responded      responded    responded      responded

real    0m1.317s
user    0m0.004s
sys 0m0.084s

No comments:

Post a Comment