On Sat, 4 Jul 1998, Craig A. Huegen wrote:
> On Sat, Jul 04, 1998 at 03:29:05AM -0400, Rick Burts wrote:
> ==>the no ip directed-broadcast command configures the router to not pass
> ==>directed (subnet) broadcasts. If you do this on the routers where
> ==>traffic enters your network, broadcast pings will not get to your
> ==>main router.
> ==>There is not a way to configure the router not to answer if the ping
> ==>packet gets to the router.
>
> "no ip directed-broadcast" is per-LAN-interface. Placing it only on border
> routers does not help. It must be placed on every LAN interface on every
> router.
>
> Beginning in 12.0, "no ip directed-broadcast" is the default behavior.
>
> For information on the smurf attack, see
> http://www.quadrunner.com/~chuegen/smurf/
>
> I'll be adding a section relatively soon on using Committed Access Rate
> (CAR) to limit ICMP echo/echo-replies to a certain amount.
>
> /cah
One minor point. The "no ip directed-broadcast" needs to be on more than
just LAN interfaces. If you have a HSSI or other high speed WAN
interface you need it on those too. I recommend it on all interfaces.
A DS3 can act as a nice doubler without it.