Header Only - DO NOT REMOVE - Extreme Networks

Guidelines for enabling Directed Broadcasts

Userlevel 3
Article ID: 5503

Directed broadcast
Smurf attack

A Directed Broadcast is defined in RFC1009 as "a datagram to be forwarded normally to the specified destination (sub-)net and then broadcast on the final hop".

A Directed Broadcast is formatted with a destination IP address matching the broadcast address of the destination network (ex:, with the intent of delivery to each of the hosts within that network. This powerful capability lends itself to misuse (ex: Smurf attack), to the point where Directed Broadcast capability on routers is generally disabled by default.

This document explains the conditions under which a Directed Broadcast will be routed from a source station to the destination network, if the network administrator wishes to enable it.

A Directed Broadcast frame is routed as a Unicast frame until it reaches the final router having a direct attachment to the destination network.

Given the more detailed IP network masking information available to that router, it makes a determination regarding whether or not the frame is a Directed Broadcast. A Directed Broadcast frame is only "exploded" for delivery to all ports associated with the destination interface if the router has directed-broadcast enabled on the destination interface, otherwise the Directed Broadcast is dropped.

For further background:
RFC1009, "Requirements for Internet gateways"
RFC1812, "Requirements for IP Version 4 Routers" (obseletes RFC1009)
RFC2644, "Changing the Default for Directed Broadcasts in Routers" (updates RFC1812)

Support for "Wake on LAN" is one common reason for the use of Directed Broadcast.

To help prevent misuse of this feature, the user may also optionally implement policy on the Directed Broadcast enabled router. The logical complexity of this particular application requires not only policy support, but the degree of support currently offered only on the N-Series and S-Series. Prior to the routing process, the policy role is invoked when the destination IP address matches that of a local Directed Broadcast, then within the policy the traffic is forwarded if the source IP address is permitted to use WOL but otherwise the traffic is dropped.

This sample configuration scopes to all ports on the router:

set policy profile 86 name drop-if-unauthorized-WOL pvid-status enable pvid 0
set policy rule admin-profile ipdestsocket mask 32 admin-pid 86
set policy rule 86 ipsourcesocket mask 32 forward[/code]
If implemented on a router with a number of local subnets, multiple admin-profile rules may be stacked.
If more than one station is authorized to do WOL, multiple non-admin rules may be stacked.

To guard against the spoofing of an authorized IP address, also use the hostdos checkspoof feature (5417).
See also: 6871, 11980, and 12955.

0 replies

Be the first to reply!