[c-nsp] security

Adam Greene maillist at webjogger.net
Tue Dec 2 09:02:56 EST 2008


How does one get around the side-effect of not allowing broadcasts; i.e. 
wouldn't this break ARP functionality?

----- Original Message ----- 
From: "Jay Hennigan" <jay at west.net>
To: <cisco-nsp at puck.nether.net>
Sent: Monday, December 01, 2008 4:29 PM
Subject: Re: [c-nsp] security


> Matlock, Kenneth L wrote:
>> An IP diected broadcast is an IP packet destined for the network or
>> broadcast address.
>>
>> So for example let's say you have a subnet of 192.168.1.0/24
>>
>> 192.168.1.0 is the network address.
>> 192.168.1.255 is the broadcast address.
>>
>> An IP packet destined for 192.168.1.255 (the destination address) would
>> by default get broadcasted out to all ports in the VLAN/LAN/etc that are
>> on the 192.168.1.0 network. (something like the FF:FF:FF:FF:FF:FF
>> address on a Layer 2 segment).
>>
>> Putting that command in disables that 'feature'.
>
> Ken explained it nicely.
>
> The benefit of this from a security standpoint is that it prevents your 
> network from becoming a smurf "amplifier".
>
> ICMP is connectionless so can be easily spoofed.  A denial-of-service 
> attack called "smurf" consists of sending ICMP ping packets forged with 
> the source of your victim to the all-1s broadcast address of a 
> well-connected subnet with lots of hosts.   This is a packet directed to 
> the broadcast address of the subnet, hence "directed broadcast".  All of 
> the hosts on that subnet will then reply to the forged address of the 
> victim, which can overwhelm the victim's network and possibly yours or one 
> in the middle.
>
> The command "no ip directed-broadcast" causes the router to drop packets 
> directed to the broadcast address of the subnet.
>
> --
> Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
> Impulse Internet Service  -  http://www.impulse.net/
> Your local telephone and internet company - 805 884-6323 - WB6RDV
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> 




More information about the cisco-nsp mailing list