As I recall from my old network engineering days a ping to a broadcast address should be done on the same subnet as the broadcast address, as a general rule. In this case, all the IP addresses on the network will respond for all interfaces configured and operational (and not blocking).
They may reply with some nasty packet type other than echo response ICMP, like source quench!
If they have ever swapped any sort of IP packet with you, I would think it will be in your arp cache. Does ARP cache hold everything that arrives on your stack, or just arp responses for arp you initiated? Is there an arp cache poisoning attack?
I believe ARP entries are good for about 5 minutes (which fouls up IP failover strategies on very high uptime systems), so the list does not usualy get very long. I suppose a NIC with a promiscuous arp algorythm could collect ARP from packets not for you, if you are not segregated by a switch from all such traffic. Network is a very competitive arena.
a ping to a broadcast address should be done on the same subnet as the broadcast address, as a general rule.
True - still, this works only if network (the department, not the device) hasn't decided that every network connection, even one on the same subnet, has to go over a switch with firewall capabilities enabled (that is: each and every port blocked per default).
In my last project i had such a network, which is truly a PITA: you won't even get a ping from your default gateway back - but should manage HA-networks over that crap. Usually it took us 2-3 weeks to set up a cluster - 1 hour for installing and configuring it, the rest for filling out the forms required to get the various necessary ports opened in the firewall (which never worked right the first time).