Login attempts from 255 IP? (3.0.115.255)

today I see some login attempts from an unusual IP: 3.0.115.255 and I ask myself: how can this happen, that an IP ends with 255? I thought it's for broadcasting - can it be assigned to a single machine?

Greetings

mathse

Solution 1:

First thing to note, not every IP which ends with .255 is a broadcast. If it's using a wider mask, it wouldn't be considered a broadcast address in its network. You can configure a network with following addresses:

one machine: 192.168.1.0/23 (or /255.255.254.0), other machine: 192.168.0.255/23

in any modern OS, and they will happily communicate. Note slightly wider netmask. Both these addresses are actually closest neighbours right in the middle of the network address range (it spans from 192.168.0.0 to 192.168.1.255, 512 addresses in total, of which 510 are assignable).

On a second thought, when system received a packet from some IP, it doesn't bother whether it is broadcast or not. That's just a 32 bit number in the packet header 'source' field. In general, it only bothers to check if that's a broadcast address if it's sending packets there, and it only considers whether it must use a unicast MAC address or broadcast, and only it does so if it's from locally attached network, i.e. it has a direct route to that address.

How do you know if 3.0.115.255 is a broadcast when you aren't near that network? No way, because you don't know how it's subnetted. You may send packets to that address, it'll be routed and eventually only last hop will know, if that's really a broadcast address, it'll broadcast your packet. And it you received packet from that address, again, you don't have a clue if it was broadcast or not.