Stupid subnetting question
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Stupid subnetting question

  1. #1
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165

    Stupid subnetting question

    Me and my friend use the same ISP. Our LAN IP's are 10.0.0.245 (me) and 10.0.1.27 (friend). Now, since both our subnet masks are 255.255.255.0, we can't access each other's computers using NetBIOS (basically \\10.0.0.245\sharename or \\mycomputername\sharename don't work). I got around this problem by simply changing both our subnet masks to 255.255.0.0. What I wanted to know is whether this has any effect on the network as a large and whether anything can be done to prevent users doing this.

    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  2. #2
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    As a newbie, I didnt get ur question. But it is very strange ip configuration.
    First, ur ISP assigns to u a private IP range (10.x.x.x.x)? u dont have a iana ip address assigned? how do u go to internet? ISP proxy (or nat) ur requests?
    ALL users of that ISP shares the same address range? (it does not look like a PRIVATE if someone can see another one)
    Other odd thing is that u know their ip address but u cant get a route to it with a 24 bit mask. But U CAN get to it if 16 bit mask. That is really odd. Im assuming that u and ur friend are in distinct connections (not on same lan)
    I dont think that this change can cause a problem except that u bring to ur network thousands of unknown people....
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    The subnet mask is used to determine whether the destination is local or remote. If the mask says the destination IP is local it sends out an ARP "who has 10.0.0.1". If the mask says the destination is remote it sends the packet to the default gateway for further routing.

    What you just told the two machines was that 10.0.x.x is on the local subnet which may or may not be true. You could be denying yourself some services if the service is actually across a router since the broadcast ARP message will not pass across the router and your system will therefore not be able to find the service, (unless a failed ARP request then has the packets sent to the default gateway - but I don't think that occurs - you might want to check though).

    A better subnet mask for those two subnet may be 255.255.252.0. That would allow you to see each other but also not fail out on services that may be across a router.

    Anyone else could do the same as you have done but since the mask only determines local/remote for the device there isn't any way I can think that it could be "exploited" in your case since it is used for outbound packets not inbound.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    if u change ur mask to enlarge ur network, u r telling to ur ip stack to "see" more hosts. If an attacker do the same, on same ISP, he/she can scan ur computer. Due to you have changed ur mask, ur ip stack will reply scan packets. is it a way to exploit the change?
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  5. #5
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    Heya TS,
    Thanks for the reply. However, since nothing broke, I'm assuming that we're both on the same subnet, which is very likely since we live in opposite buildings. I always thought that subnet masks were always constant (255) or variable (0) and no in between values were allowed. Guess not.

    Cheers,
    cgkanchi

    PS: I'm only this bad at networking, nothing else .
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  6. #6
    Senior Member OverdueSpy's Avatar
    Join Date
    Nov 2002
    Posts
    556
    I think you should reconsider using netbios. cacosapo kind of hit around this concept, but did not make it clear. What you see with netbios everyone else sees with netbios. Additionally, if the system on the other end has additional trusts set up, then unless the remote admin is really on the ball, you are letting your system show up on everyone elses netbios schemes. Netbios is especially vulnerable to informational type pre attacks . It would be much smarter and safer to set up a VPN. Think of netbios as unprotected computer sex, where your computer is sleeping with every computer that your partner's computer has slept with, and so on - and so on.


    Now this link is to a hacking type web page, however it touches on just the tip of the iceburg, where netbios attacks are concerned.
    http://alliancedethroned.webspace4free.biz/NetBios1.htm
    The mentally handicaped are persecuted in this great country, and I say rightfully so! These people are NUTS!!!!

  7. #7
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Originally posted here by cgkanchi
    I always thought that subnet masks were always constant (255) or variable (0) and no in between values were allowed. Guess not.
    This is called VLSM (Variable Length Subnet Mask) or CIDR (Class-less Internet Domain Routing) depending on the location and/or purpose. That's where the subnet mask "slash-notation" (/16, /32) is from, the number being the number of bits used for the mask. 255.255.255.0 = /24, 255.255.252.0 = /22.


    Now as far as the original question goes, using the Ip address in the unc path (\\10.0.0.X\) should normally work even between subnets, unless your ISP's router filters on ports 137-139 (NBT), 445 (SMB over TCP), which would be my guess...

    The only diffrence when on diffrent subnets (without special configuration) is that you won't see the other computer(s) in the network neighbourhood since WINS uses broadcasts which won't be forwarded on the other subnet.

    Ammo
    Credit travels up, blame travels down -- The Boss

  8. #8
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    OverdueSpy,
    I am aware of the perils of using NetBIOS. But it's simple and easy. Also, I only create the share when my friend wants to transfer something and then delete it when it's done. I've also locked down the share so that only a person who is a member of the ShareUsers group (which is only my friend) has any access to the share, and that too read only. Plus, since I've disabled NetBIOS over TCP/IP, no one outside the lan can access my share anyway.

    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Cacosapo: You are kinda correct in that enlarging the mask allows your computer to "see" more hosts.... But it "sees" them as local. It doesn't mean that suddenly, magically, the device can talk to more computers - if a packet gets routed to your box it will reply if it is able regardless of whether the packet travels locally, by a direct ARP request, or remotely by passage through router(s). Those people already on his 10.0.0.0/24 subnet already see his computer as local and will send an ARP request for communication. Those on his friend's 10.0.1.0/24 subnet will see others on the same subnet as local but will forward packets to cgkanchi to the default gateway for routing. They probably share the same router for a gateway that has an address of, say, 10.0.0.1/16, (255.255.0.0). Thus when it receives a packet from 10.0.0.245, (cgkanchi) looking for 10.0.1.27, (his friend) the entire sequence would go like this:-

    1. cgkanchi's machine readies packet for transmission and looks at the destination address.
    2. After passing the address through the mask it determines the destination is remote.
    3. The packet is sent to the MAC address of the default gateway, (the router), if it has it or sends out an ARP request, gets the MAC of the router and forwards the packet.
    4. The router looks at the destination address and compares it to it's subnet mask and finds a match.
    5. It sends out an ARP request for 10.0.1.27, upon receipt of the MAC address it forwards the packet to the destination machine.

    Now, as they previously has the masks, (255.255.255.0), neither machine would see the remote as local so it would route the packet to the default gateway rather then make a direct ARP request. However, since they changed the mask so that both their subnets appear local to eachother then the ARP request is sent and direct contact can be made. Even in their previous state, (mask 255.255.255.0), someone on subnet 10.0.2.0/24, (255.255.255.0) could ping 10.0.0.245 because the packets would be moved in the point by point scenario above.

    cgkanchi: You are both on the same subnet now, but, for example if the master DNS servers were on 10.0.129.0/24 subnet and it is across a router your computers would be sending ARP requests to try to find it. Since the ARP request won't be routed by the router your computer will think the DNS server is down, (assuming for the scenario you have only one), and you won't receive any DNS service - thus the web will go down for you. I suspect you have a situation as described above where the master router is 10.0.0.1/16, (255.255.0.0) and that's why it all works, you are all really in the same collision domain.

    The other day I gave a suggestion to someone about setting up a new subnet to miff his brother and that scenario could cause some confusion since I said that his brother's PC won't be able to talk to his PC on the secondary subnet. The confusion could arise from the fact that I said cgkanchi's computers will talk to anyone who can get a packet to them. In "Newb"'s case their default gateway is a PC set up as a router/firewall on subnet 192.168.0.0/24, (255.255.255.0), and I suggested he put a subnet 10.0.0.0/30, (255.255.255.252), for his two computers to talk to each other on. The reason his brother's PC couldn't talk to his PC is that 10.0.0.1 is not on brothers subnet, (he's on 192.168.0.0/24), so his computer would forward the packet to the default gateway for retansmission. This is where his scenario works - the router will look at the packet for 10.0.0.1 and decide that the subnet is remote and will forward the packet to the next router outbound since no route exists for the 10.0.0.0 subnet and it isn't local because the local IP and subnet mask say so. So his brother's packets would never be routed back into the network.

    What I did with the mask in "Newb"s case was to make the mask so restrictive, (only 4 IP addresses the first and last of which are unusable broadcast addresses), that all packets that are not for IP Addresses 10.0.0.1 or 10.0.0.2 get sent to the default gateway and from there misrouted outbound and subsequently dropped. So his brother can't even ping him on the secondary subnet unless he adds a statement to the router acknowledging the existence of the 10.0.0.0/24 as being internal. Then he has a chance of being able to play... OTOH, when he want's his computer at 10.0.0.1 to talk to 10.0.0.2 the combination of address and mask indicate a local machine so an ARP broadcast is sent out and the two computers will talk directly via the MAC addresses.

    Phew......

    It's complicated..... I would be embarrassed if I told you how long it took me to "get" this and there are still more days than I'd care to mention that I think I really don't "have it"....

    If you want any clarification ask away.......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    it was my 1st point. Unfortunatelly, my explanation was quit obscure.
    Since they couldnt talk to each other (with isp) , i assumed the router was blocking traffic between lans. After he told us that changing mask changes the visilibilty, i understood that everybody there is in the same network (same collision domain, as TS stated). That is a odd security, assign diferent masks to segregate computer on same lan segment. However, changing mask from /24 to /16 will do include new "strangers" on network. I dont know how many networks are there, im simply supposing.
    Of course that "mask" can be broken by other ways, but change the mask (i would like to know why it was set like that) will bring guys (assuming that network is larger than 2 subnets) that didnt need to know network (as script kiddies). Since Windows (on a default installation) is not a quite secure O.S., i was just putting the risks in clear.
    (thanks TS for that good explanation - i need to learn how to write a little more :P)

    P.S. im kinda paranoic about security. When someone ask about how to put a window on his house, i was reply with walls and iron bars. Sorry...
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •