From: Jay Hennigan (jay@west.net)
Date: Fri Sep 12 2003 - 12:28:06 GMT-3
On Fri, 12 Sep 2003, Paul Borghese wrote:
> It should be place on the serial interface that connects your network to the
> internet.
I don't believe this to be the case. The "no ip directed-broadcast"
command prevents traffic directed to the specific network broadcast
address from being sent out an interface. As a smurf amplifier is
used to generate a large number of ICMP replies to a spoofed source,
the vulnerable interface would not be the serial interface of the router
which has only one host, the router itself. A directed broadcast
to an ethernet address with many machines on the same subnet would
be a much more effective smurf amplifier. The original question was
whether the "no ip directed-broadcast" command should be applied to
all interfaces or just the ethernet interfaces. I would answer that
it should be applied to all interfaces, but that the importance with
regard to smurf attacks is greater on those interfaces with multiple
hosts on the directly-connected networks, the ethernet interfaces.
See RFC 919 and RFC 922 for more on IP specific network broadcasts.
Of historical note, the broadcast address in early IP implementations
was the all-zeros address with some vendors as opposed to the all-ones
standard today.
> I believe with 12.x or later, this is the default configuration
> for serial interfaces.
I think it's default for all interfaces at least since 12.0.
> To: ccielab@groupstudy.com
> Subject: Smurf Attack
>
> When asked to prevent Smurf Attack, should I disable
> ip directed-broadcast on all interface or only
> ethernet interface?
-- Jay Hennigan - CCIE #7880 - Network Administration - jay@west.net WestNet: Connecting you to the planet. 805 884-6323 WB6RDV NetLojix Communications, Inc. - http://www.netlojix.com/
This archive was generated by hypermail 2.1.4 : Wed Oct 01 2003 - 07:24:27 GMT-3