Subject: Re: a remote user can check promiscuous mode
To: Wolfgang Rupprecht <firstname.lastname@example.org>
From: Ignatios Souvatzis <email@example.com>
Date: 12/10/1999 22:10:44
On Fri, Dec 10, 1999 at 12:16:31PM -0800, Wolfgang Rupprecht wrote:
> firstname.lastname@example.org (Michael Richardson) writes:
> > The technique is to send an ICMP ping addressed to the node at the IP
> > layer, but not addressed to the node at the ethernet layer.
> I can think of a few more probes like this that are possible. One can
> also slap on a MAC multicast address and the NIC's IP address and see
> if the NIC is listening to that ethernet multicast.
> I'm not sure that the information that these probes provide is at all
> damaging from a security standpoint. The probe just shows if the MAC
> filters are pre-filtering ethernet traffic or not.
But our IP layer should reject packets with IPv4 unicast addresses, that are
targeted at link multicast addresses, right? (If I recall
So my guess at the description of the mechanism is that somehow
the M_MCAST/M_BCAST marking isn't done right in case of promiscuous
mode, and this is definitely a bug.