58 SPOOFED.NET > 255.255.255.255
05:22:58 spoofed.net > 255.255.255.255: icmp: echo requestProbably a broadcast to the network the sensor is on.The source IP address is spoofed, and the echo requests are directed to broadcast addresses.
IDIC - SANS GIAC LevelTwo
©2000, 200123
In this example, the old BSD zero broadcast form is used. Many Unix systems will honor a zero broadcast while Windows systems do not. In fact, everybody loves to slam Windows, but they figured out a long time ago that they could help prevent forest fires. They will not honor an ICMP echo request broadcast, period! That was pretty good thinking. It does have one small side effect, but we can live with it.The BSD stacks will honor both 255 and zero, so you can find all the systems whose network stack derives from BSD, and that is most. Non BSD stacks will not honor a zero broadcast, so they stand out like a sore thumb. And if you can perform some other form of network mapping, you can separate the Windows systems that keep their traps closed regardless when it comes to broadcasted echo requests.Time for a conspiracy theory moment. This allows for the possibility of appearing to be the “innocent” victim of a smurf attack while mapping the Internet. WAKE UP! If your site allows someone to send broadcasted ICMP echo requests and get responses, you ARE being mapped. We will explore this concept in greater detail as we continue to work through the material. However, the bottom line is this: if those response packets leave your network, you have given away reconnaissance data. Whenever you are the victim of successful reconnaissance, you need to do battle damage assessment, since you are now in a more vulnerable position than you were before the reconnaissance.