[c-nsp] security

Jay Hennigan jay at west.net
Mon Dec 1 16:29:45 EST 2008

Matlock, Kenneth L wrote:
> An IP diected broadcast is an IP packet destined for the network or
> broadcast address.
> So for example let's say you have a subnet of
> is the network address.
> is the broadcast address.
> An IP packet destined for (the destination address) would
> by default get broadcasted out to all ports in the VLAN/LAN/etc that are
> on the network. (something like the FF:FF:FF:FF:FF:FF
> address on a Layer 2 segment).
> Putting that command in disables that 'feature'.

Ken explained it nicely.

The benefit of this from a security standpoint is that it prevents your 
network from becoming a smurf "amplifier".

ICMP is connectionless so can be easily spoofed.  A denial-of-service 
attack called "smurf" consists of sending ICMP ping packets forged with 
the source of your victim to the all-1s broadcast address of a 
well-connected subnet with lots of hosts.   This is a packet directed to 
the broadcast address of the subnet, hence "directed broadcast".  All of 
the hosts on that subnet will then reply to the forged address of the 
victim, which can overwhelm the victim's network and possibly yours or 
one in the middle.

The command "no ip directed-broadcast" causes the router to drop packets 
directed to the broadcast address of the subnet.

Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

More information about the cisco-nsp mailing list