pinging the broadcast address

Red Squirrel · Mar 15, 2011

At work we were messing around and realize that we can actually ping the broadcast address, and get replies from random devices on the network. It makes sense, but it's just something I've never even thought of trying.

If I do it at home though, it does not work. Why is this?

trick0502 · Mar 15, 2011

you cant ping the broadcast address. there isnt a device on that address. you must have been mistaken what the broadcast address is at work.

Red Squirrel · Mar 15, 2011

Oh no, we were definitely getting all sorts of replies from different IPs. First time I see that.

voodoochildbc · Mar 15, 2011

Broadcast ping should be turned off on network devices. Reason = Smurf attacks. It might be disabled by default depending on your router.

I completely forgot you could do this because it -shouldn't- work on the majority of equipment

trick0502 · Mar 15, 2011

i dont understand how you would get a reply when you ping the broadcast address. when you ping something you send out a hello and wait for someone to say hello back. who is sending the hello back? there isnt a device on the broadcast address to say hello back.

what is replying to your ping when you ping the broadcast?

hawk82 · Mar 15, 2011

http://support.microsoft.com/kb/137421
Old but appears to have valid explanations.

Red Squirrel · Mar 15, 2011

tricky0502 said:
i dont understand how you would get a reply when you ping the broadcast address. when you ping something you send out a hello and wait for someone to say hello back. who is sending the hello back? there isnt a device on the broadcast address to say hello back.

what is replying to your ping when you ping the broadcast?

My guess is because it's the broadcast address, everything on the network gets the packet. So some devices reply, and they reply to the source, naturally, so that's how I get a reply.

But I kinda figured it should be turned off.

Though, I wonder what happens if you spoof your IP to be the broadcast address, and ping the broadcast address. (and this is where the whole network went down

)

voodoochildbc · Mar 15, 2011

The device is sending the packet back. It looks at the source address. Again, this is probably disabled on pretty much everything around these days.

To be specific (after looking): Windows boxes probably discard those types of pings coming from broadcast addresses according to MSDN. Devices with other OS's might have it enabled.

greengolftee87 · Mar 15, 2011

tricky0502 said:
i dont understand how you would get a reply when you ping the broadcast address. when you ping something you send out a hello and wait for someone to say hello back. who is sending the hello back? there isnt a device on the broadcast address to say hello back.

what is replying to your ping when you ping the broadcast?

When you ping the broadcast you're basically saying hello to anything that's listening. Then, if the device is allowed to respond it does. If i remember correctly windows broadcast response is disabled by default and linux is enabled I think.

voodoochildbc · Mar 15, 2011

Red Squirrel said:
Though, I wonder what happens if you spoof your IP to be the broadcast address, and ping the broadcast address. (and this is where the whole network went down )

Huh? Windows won't let you do that unless you purposely screw up your subnet mask... not sure about linux, and I don't see how this is any different from pinging the broadcast address with a valid IP. The network probably went "down" because the machine had no idea how the hell to communicate

Red Squirrel · Mar 15, 2011

Oh no, I did not actually bring the network down. I was just wondering what would happen, but no I would not try it lol.

My gut feeling is it would cause some kind of infinite loop. One of the machines would need to be taken offline.

voodoochildbc · Mar 15, 2011

Well, just like the former situation, everything would reject it most likely. Plus those machines know what the correct mask is

Red Squirrel · Mar 15, 2011

Yeah I guess the machines that were replying must be badly configured then. We'll have to check into that.

I have a bunch of Linux and Windows systems on my network at home and none of them reply.

voodoochildbc · Mar 15, 2011

As long as you can't do that from another interface on another subnet in your network, it's probably not a big deal

Shadowspawn · Mar 16, 2011

Pinging the broadcast address results in every device in the subnet receiving the ping. You see the first response. This is usually the gateway device, but not always.

Come on guys, this is basic networking.

voodoochildbc · Mar 16, 2011

No, it's not really basic networking. Find me a networking introduction book that tells you that it's ok to ping the broadcast address - that's a debatable diagnostic test at best. There are other things going on behind the theory that can and often do cause this not to work.

plugwash · Mar 16, 2011

the linux ping tool will show you all responses it gets to a broadcast ping (with all but the first one marked as duplicates). I think the windows one only shows the first but i'm not positive on that.

Years ago pretty much everything would reply to a broadcast ping. These days it's often blocked due to security and privacy concerns. The only thing that responded when I launched one on my lan just now was my printer (though I don't have much turned on right now anyway).

On linux there is a setting whether to respond or not. I presume the default depends on the distro and/or version.

I don't think spoofing the source address would produce an infinite loop. Echo and echo reply are distinct types of packet.

Jay_2 · Mar 16, 2011

the entire point of the broadcast address is to be able to send packets to all devices, pinging it should give you a reply.Some nasty "find all devices on the network" software uses this method.

XOR != OR · Mar 16, 2011

voodoochildbc said:
No, it's not really basic networking. Find me a networking introduction book that tells you that it's ok to ping the broadcast address - that's a debatable diagnostic test at best. There are other things going on behind the theory that can and often do cause this not to work.

Basic networking tells us the purpose of the broadcast address, from there it's easy to extrapolate what might happen if you ping it. And sure enough, many devices will respond to it. In fact, I'd guess that pretty much every device would ten years ago. Even across broadcast domains ( ie: you are on 10.0.0.0/24, and you ping 10.100.0.255 you'd get responses ).

Sure, there are settings in most routers to turn this behavior off. And in fact, in many OSes now there are security features to prevent this. But these are features that were responses to attacks utilizing this vector.

So yes, this is basic networking.

Shadowspawn · Mar 16, 2011

voodoochildbc said:
No, it's not really basic networking. Find me a networking introduction book that tells you that it's ok to ping the broadcast address - that's a debatable diagnostic test at best. There are other things going on behind the theory that can and often do cause this not to work.

XOR != OR said:
Basic networking tells us the purpose of the broadcast address, from there it's easy to extrapolate what might happen if you ping it. And sure enough, many devices will respond to it. In fact, I'd guess that pretty much every device would ten years ago. Even across broadcast domains ( ie: you are on 10.0.0.0/24, and you ping 10.100.0.255 you'd get responses ).

Sure, there are settings in most routers to turn this behavior off. And in fact, in many OSes now there are security features to prevent this. But these are features that were responses to attacks utilizing this vector.

So yes, this is basic networking.

My hero.

Yes, it is basic networking. Just because it gets turned off for security reasons doesn't take away that it is part of the basic idea behind IPv4.

voodoochildbc · Mar 16, 2011

Thanks for repeating what was already said 5 times.

Private Citizen · Mar 16, 2011

On our network network attached printers are the ones that usually answer x.x.x.255 ping. Is this true in your case too Red?

Waypo · Mar 16, 2011

The only replies I get are from newer Cisco switches and an older router. I'm surprised by that. I would think if it's a legitimate security concern a company like Cisco would have defaulted that to off by now.

Red Squirrel · Mar 16, 2011

Private Citizen said:
On our network network attached printers are the ones that usually answer x.x.x.255 ping. Is this true in your case too Red?

I'll have to check. We have around 100 printers so it could very well be.

aaronearles · Mar 16, 2011

plugwash said:
the linux ping tool will show you all responses it gets to a broadcast ping (with all but the first one marked as duplicates). I think the windows one only shows the first but i'm not positive on that.

Looks like "fping" will show multiple replies, I'm not aware of any way to do this with regular ping, am I missing it? (although I am doing this from bsd, not linux)

The only thing that replies on my home network, is my ddwrt v24 based wap.

trick0502 · Mar 16, 2011

i did get replys when i was at work too. it is a school network and i was on the administration side. im really not sure that devices were replying but i would love to know.

pinging the broadcast address

[H]F Junkie

Supreme [H]ardness

[H]F Junkie

Limp Gawd

Supreme [H]ardness

[H]ard|Gawd

[H]F Junkie

Limp Gawd

Limp Gawd

Limp Gawd

[H]F Junkie

Limp Gawd

[H]F Junkie

Limp Gawd

[H]ard|Gawd

Limp Gawd

[H]ard|Gawd

2[H]4U

[H]F Junkie

[H]ard|Gawd

Limp Gawd

Gawd

Weaksauce

[H]F Junkie

[H]ard|Gawd

Supreme [H]ardness