IP flooding by using broadcast address

Joe_Rhett1 · July 20, 1997, 4:11am

     I believe that it's QUITE rare to have an application that
     is both *routed* and uses the broadcast address. This is
     made harder when you VLSM, but I belive the majority of
     networks are provisioned on an 8 bit boundary, so you can
     filter 90% of the traffic by filtering to the .255 address.

This is a _very_ bad assumption, with a nasty effect on perfectly valid
traffic. Now that bridging (ala switching) is popular again, there are
enormous numbers of supernetted class C networks out there. I can think of
10 sites right now, without thinking hard. I'm sure I could find another
100 without too much work. And that's just the sites I know of personally!!

This simply doesn't work as a mechanism. There are only two solutions:

1. Disable ping reply to your hosts (annoys some people, but prevents this
attacks..)

2. Disable packets to broadcast addresses on the SOURCE networks. This is
the only reliable solution, since only the local admin knows what the nets
are.

( Unfortunately, cisco router filters are perfectly blind to this sort of
attack. You need two or three filters for each one ...)

I think it would be very wise of cisco to have a global flag
(or at least, a per-interface flag) which would prevent the forwarding
of a packet to an all-ones address. If cisco won't add this feature,

Yes!

Edward_Henigin1 · July 20, 1997, 4:14am

I was just told that the interface command "no ip direct-broadcast"
may be what I was asking for..

Ed

Daniel_Senie1 · July 20, 1997, 5:46am

Edward Henigin wrote:

> > I think it would be very wise of cisco to have a global flag
> > (or at least, a per-interface flag) which would prevent the
forwarding
> > of a packet to an all-ones address. If cisco won't add this
feature,
>
> Yes!

I was just told that the interface command "no ip
direct-broadcast"
may be what I was asking for..

At least on our (OpenROUTE Networks/Proteon) routers and those based on
our code, you can control whether the router will forward packets which
are directed broadcasts. For example, do you allow a packet addressed to
192.168.123.255 to travel to your network from a distance, and then be
broadcast on a LAN medium that is used for the 192.168.123.0 subnet?

Directed broadcasts can be useful within a company's internal network,
but is not a good thing to allow on a border router.

The original question, though, was about the source address. This could
be addressed with filters, or with the addition of extra options. In our
routers, filters could be constructed for this relatively easily.

(I can't tell you about cisco product, though. I suspect they have many
similar features).