[c-nsp] security
Jay Hennigan
jay at west.net
Mon Dec 1 16:29:45 EST 2008
Matlock, Kenneth L wrote:
> An IP diected broadcast is an IP packet destined for the network or
> broadcast address.
>
> So for example let's say you have a subnet of 192.168.1.0/24
>
> 192.168.1.0 is the network address.
> 192.168.1.255 is the broadcast address.
>
> An IP packet destined for 192.168.1.255 (the destination address) would
> by default get broadcasted out to all ports in the VLAN/LAN/etc that are
> on the 192.168.1.0 network. (something like the FF:FF:FF:FF:FF:FF
> address on a Layer 2 segment).
>
> Putting that command in disables that 'feature'.
Ken explained it nicely.
The benefit of this from a security standpoint is that it prevents your
network from becoming a smurf "amplifier".
ICMP is connectionless so can be easily spoofed. A denial-of-service
attack called "smurf" consists of sending ICMP ping packets forged with
the source of your victim to the all-1s broadcast address of a
well-connected subnet with lots of hosts. This is a packet directed to
the broadcast address of the subnet, hence "directed broadcast". All of
the hosts on that subnet will then reply to the forged address of the
victim, which can overwhelm the victim's network and possibly yours or
one in the middle.
The command "no ip directed-broadcast" causes the router to drop packets
directed to the broadcast address of the subnet.
--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service - http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV
More information about the cisco-nsp
mailing list