Re: Broadcast packets not blocked by filter ?!?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

---

• From: "Skybuck Flying" <BloodyShame@xxxxxxxxxxx>
• Date: Sat, 11 Jul 2009 00:01:45 +0200

---

Maybe it got removed because it was invalid or conflicting...

I tried again... this time it worked for the broadcast packets...

But unicast both ways blocked not...

So I would have to add a special rule to block unicast in both ways...

This kinda sux because it requires two rules... which is double as much work
but ok.

Also trying to ban 255.255.255.255 for a specific source is not possible...

So I had to choose "any ip" which is a bit strange but ok ;)

End result:

Broadcast packets banned for ip X
Unicast packets banned for ip X both ways.

However I also noticed something weird:

The broadcast packets were still showing up in the wireshark sniffer...

Apperently broadcast packets follow a different route through the windows
filter/firewall/policy logic ?!?!?

^ Weird... might be exploitable too ;) ^ For example "broadcast attacks on
VPLAN's" might still work.

Bye,
Skybuck.


"Skybuck Flying" <BloodyShame@xxxxxxxxxxx> wrote in message
news:e1df7$4a57b6aa$d53372a9$8216@xxxxxxxxxxxxxxxxxxxxxxxxxxx

Hmm weird... the source rule disappeared gonna try again first ;)

Bye,
Skybuck.

"Skybuck Flying" <BloodyShame@xxxxxxxxxxx> wrote in message
news:a3df8$4a57b65d$d53372a9$7870@xxxxxxxxxxxxxxxxxxxxxxxxxxx

Nope that doesn't seem to work.

I choose filter option "block".

Instead of the "request security".

(Maybe block don't work ? but unicast it does seem to block so this is
weird).

Maybe this is a broadcast bug in the filter ?!?

Now I am gonna try a special broacast rule.

Bye,
Skybuck.

"Skybuck Flying" <BloodyShame@xxxxxxxxxxx> wrote in message
news:34624$4a57b566$d53372a9$6847@xxxxxxxxxxxxxxxxxxxxxxxxxxx

So far I base the rules on "destination addres/ip".

Before I try a special broadcast rule....

First I try a "source address/ip" rule...

Maybe that will work for banning broadcast packets too...

Bye,
Skybuck.

"Skybuck Flying" <BloodyShame@xxxxxxxxxxx> wrote in message
news:7a36e$4a57b48b$d53372a9$5989@xxxxxxxxxxxxxxxxxxxxxxxxxxx

Hello,

I banned ip address: 7.0.79.54 in windows xp policy etc...

(This is a virtual ip)

To my surprise the broadcast packets are not blocked ?

(Only unicast packets are blocked ?!?)

So for example udp packet:

Source IP: 7.0.79.54
Dest IP: 255.255.255.255

^^^ Is not blocked.

While

Source IP: 7.0.79.54
Dest IP: My IP

^^^ Is blocked ?!?!?

I guess I have to add a special rule for broadcast packets ?!

Hmm...

Gonna try it...

Later,
Bye,
Skybuck.

.

---

• Follow-Ups:
  • Re: Broadcast packets not blocked by filter ?!?
    • From: Frank Holman

• References:
  • Broadcast packets not blocked by filter ?!?
    • From: Skybuck Flying
  • Re: Broadcast packets not blocked by filter ?!?
    • From: Skybuck Flying
  • Re: Broadcast packets not blocked by filter ?!?
    • From: Skybuck Flying
  • Re: Broadcast packets not blocked by filter ?!?
    • From: Skybuck Flying

• Prev by Date: Re: Windows 7 pre-order/upgrade question
• Next by Date: Re: Chkdsk - should take how long?
• Previous by thread: Re: Broadcast packets not blocked by filter ?!?
• Next by thread: Re: Broadcast packets not blocked by filter ?!?
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: arpwatch ... arpspoofing is done with broadcast packets. ... Precisely Define and Implement Network Security ... FIND OUT NOW - FREE Vulnerability Assessment Toolkit ... (Security-Basics) Re: debian [testing/etch] redirected broadcasts not working ... I know, that there are the kernel vars for icmp, but I found the other one in a posting in the net. ... The incoming packet is DNATed into the broadcast address in the PREROUTING chain, and then reaches the input routing stage. ... But in accordance with broadcast packets are not forwarded, ... there are workarounds based on static ARP entries to avoid using an IP broadcast. ... (comp.os.linux.networking) Re: debian [testing/etch] redirected broadcasts not working ... I have just moved from NetBSD to Debian and have set it up to be a router, ... This is syntactically accepted by ipfilters, but there are no redirected packages in the LAN, which I track with tcpdump. ... The incoming packet is DNATed into the broadcast address in the PREROUTING chain, and then reaches the input routing stage. ... But in accordance with RFC 2644 broadcast packets are not forwarded, ... (comp.os.linux.networking) Re: ms05-011 - requires broadcast packets? ... There is a huge difference between a broadcast and a directed datagram... ... > Vulnerability in Server Message Block Could Allow Remote Code Execution ... > implies that broadcast packets must be used in the attack, ... > "An attacker could also access the affected component through another ... (microsoft.public.security) Re: Message sender and receiver for unicast+multicast+Broadcast ... > unicast, multicast, Broadcast and get the ACK for every message sent. ... (comp.unix.programmer)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > WinXP  > microsoft.public.windowsxp.general  > 2009-07