Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ICMP ECHO_REQUEST on BROADCAST--HOWTO Filter!

From: glen.turner () ITD ADELAIDE EDU AU (Glen Turner)
Date: Wed, 23 Jul 1997 12:10:19 +0930

Michael Douglass wrote:


From: Edward Henigin <ed () texas net>
To: Michael Douglass <mikedoug () texas net>
Subject: broadcast filtering HOWTO
...
        I've just been made aware of a command for ciscos,
'ip directed-broadcast'.  Specifically, the 'no' form of the command
will no convert broadcast packets (all ones, I think) into broadcast
ethernet packets, on the final, directly connected interface.  From
cisco's online documentation:

        To enable the translation of directed broadcast to physical
        broadcasts, use the ip directed-broadcast interface
        configuration command. To disable this function, use the no
        form of this command.

        What I take this to mean is that 'no ip directed-broadcast'
        will prevent the mapping of broadcast packets (I don't know
what your cisco will guess 'broadcast packets' are) to broadcast
ethernet framing.  I think this will help... although I don't know all
the ramifications, because I haven't used it, and don't know anyone
who has.


Which is right as far as it goes.  The command only prevents the
mapping for protocols maintained for broadcast forwarding by the
`ip forward-protocol' command (UDP protocols TFTP, DNS, time, NetBIOS,
BOOTP, TACACS by default).  Broadcast forwarding is useful for allowing
IP subnet without servers to see server advertisments.  For example,
broadcast forwarding allows a single NetBIOS server to serve a
multiple-subnet network.

The real purpose of the `ip directed-broadcast' command is to
allow the filtering of server visibility and reachability
(for example, allowing departmentally-maintained BOOTP servers).

It does not prevent translation of a generic 'ping 1.2.3.255' to
an ethernet broadcast.


        And a final note: there are very few applications which depend
on the routing of broadcast packets.  You may know of one such
application; if it's a popular one that you think lots of people are
using, speak up.  So you should feel safe in blocking broadcast
traffic in your network.


BOOTP and DHCP are obvious applications that reply on
directed broadcast forwarding.  In a large modern IP
network, you really need one of these two protocols.

Cheers,
glen

--
glen.turner () itd adelaide edu au     Network Support Specialist
Tel: (08) 8303 3936            Information Technology Division
Fax: (08) 8303 4400             University of Adelaide SA 5005
...- -.- ..... --. -.. -   http://www.adelaide.edu.au/~gturner
    --  A university is a loosely-coupled organisation --
    --  held together by a common interest in parking. --
Previous By Date Next
Previous By Thread Next

Current thread: