Path: utzoo!utgpu!jarvis.csri.toronto.edu!rutgers!cs.utexas.edu!tut.cis.ohio-state.edu!ucbvax!SCARECROW.WAISMAN.WISC.EDU!Bruce.Orchard
From: Bruce.Orchard@SCARECROW.WAISMAN.WISC.EDU (Bruce Orchard)
Newsgroups: comp.protocols.tcp-ip.ibmpc
Subject: Re: Broadcasting - possible abuse?
Message-ID: <2.1995@scarecrow.waisman.wisc.edu>
Date: 8 Sep 89 18:55:53 GMT
References: <8909072316.AA13106@ti.com>
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 33

Our campus network has 2 programs that regularly generate IP
broadcasts:

1.  RIP, which broadcasts routing information to port 520.
    The protocol is described in RFC 1058.

2.  RWHO, which broadcasts a list of the users logged in on
    a system.  I don't know of any reference about it other
    than the code--it was part of Berkeley 4.2.

The excessive ARP packets you see probably arise from some
nodes using 0 for the broadcast address (following Berkeley
4.2) and others using all 1's (following RFC 919).

The ARP's arise as follows:
1.  Node A broadcasts a packet to x.x.255.255.
2.  Node B, which thinks the broadcast address is
    x.x.0.0, receives the packet and decides the packet
    is neither a broadcast packet nor one addressed
    to itself.  Therefore it attempts to forward it
    to node x.x.255.255, so it uses ARP to get its
    address.

The reverse also happens.

I would like to see at least 2 code changes in node B:
1.  It would recognize both addresses as broadcasts.
2.  It would check the Ethernet destination address
    and never forward a packet that was addressed to
    the Ethernet broadcast address.

Bruce Orchard
University of Wisconsin-Madison