Preventing Smurf attacks by stopping IP directed broadcasts

An IP Directed broadcast gives the sender the capability to send a packet and broadcast it to the entire network. An example of a network broadcast address for the classful network ID 140.101.0.0/16 is 140.101.255.255. When Cisco introduced this command in IOS version 10.0, they did not realize the ramifications of enabling directed broadcasts which enabled users to launch DOS attacks like the ICMP Smurf attack. In version 12.0 of the IOS, they made amends by changing the default behavior of dropping all directed broadcasts by default.

To understand what attackers can do if IP directed broadcasts are left enabled, we need to understand what a Smurf attack is and how it works

SMURF Attacks

These are a type of Denial of Service attack where the attacker sends source packets with a spoofed source IP address that belongs to the host that is being targeted in the attack. Now if the router is enabled for sending IP directed broadcasts, these ICMP packets will be sent to all hosts in the network. Now imagine that there are 100 active hosts in that network and then imagine all of them simultaneously sending ICMP reply messages to the source IP address of the attacker which is nothing but the IP address of the victim. These hosts would starve the bandwidth of the network and would also deny legitimate users from accessing the victim host, thus creating a Denial of Service for the host being attacked. The diagram below explains this effectively.

The only way to stop this type of a Smurf attack is by filtering the traffic that comes in at the network border. One method is to ensure that IP Directed Broadcasts are disabled and another method would be to use an ACL (which would be more cumbersome but flexible and detailed)

The first thing we will do is find out the version of the IOS that the router is running by typing in the show version command

We see that the IOS is running version 12.4 which means that IP directed broadcasts are disabled on all interface by default. To enable or disable directed broadcasts, we first need to know of the interfaces our router has, we do that by running the command show ip interface brief and the output is as shown in the diagram below. We can see from the output below that interface FastEthernet0/0 is enabled and FastEthernet0/1 is disabled.

Now to see if directed broadcasts are enabled for any of the interfaces, we need to scroll through the running configuration to see if directed-broadcasts are enabled or disabled

Now since directed broadcasts are enabled on FastEthernet0/0, we will disable it. We do that by entering the no ip directed-broadcast command under the interface configuration as can be seen from the diagram below

So do we ever need to enable Directed broadcasts ?

Yes, there might be certain situations where directed broadcasts are required such as DHCP. For example, if you LAN where clients in a particular network, say 33.35.22.0/24 (Vlan 33) connect to a DHCP Server (IP address 55.35.76.1) in another VLAN (Vlan 55) to receive IP dynamic IP addresses. By default the border router of VLAN 33 would not allow the DHCP server in Vlan 55 to receive any DHCP requests as well as send a DHCP reply or Dynamic IP address to any of the clients within Vlan 33.

In addition, the ip helper-address interface configuration command would be required to tell your Cisco router to forward DHCP requests to a central DHCP server located at 55.35.76.1. This is accomplished by the commands below

Point all clients in Vlan 33 to the DHCP server in Vlan 55
R1(config)#int FastEthernet0/0
R1(config-if)#ip helper-address 55.35.76.1

Allow DHCP using this statement
R1(config)#ip forward-protocol udp bootpc

The following statements are to be included for all protocols that are not allowed
R1(config)#no ip forward-protocol udp domain
R1(config)#no ip forward-protocol udp echo

One often overlooked fact is that ip helper-address will actually forward many other UDP-based broadcasts to the address specified which might not be what you want. In such a situation, we would need to enable directed broadcasts but only specifically for the DHCP protocol (using the ip forward-protocol command and negating any other protocols that we do not want using the no ip forward-protocol command

To summarize, if we’ve got the latest gear (updated IOS versions), IP directed broadcasts would be disabled by default, but we need to know in what situations it needs to be enabled and for what protocols. In general few applications will make use of the IP directed broadcast as a concept, so it is should always be disabled by default and only enabled on specific interfaces for specific protocols and an alternative method is to configure access lists to permit or deny IP Directed-Broadcasts. This is not feasible however, in larger networks and enabling directed broadcasts on specific interfaces when needed for specific protocols is a better solution.