An IP Directed broadcast gives the sender the capability to send a packet and broadcast it to the entire network. An example of a network broadcast address for the classful network ID 140.101.0.0/16 is 140.101.255.255. When Cisco introduced this command in IOS version 10.0, they did not realize the ramifications of enabling directed broadcasts which enabled users to launch DOS attacks like the ICMP Smurf attack. In version 12.0 of the IOS, they made amends by changing the default behavior of dropping all directed broadcasts by default.

To understand what attackers can do if IP directed broadcasts are left enabled, we need to understand what a Smurf attack is and how it works

SMURF Attacks

These are a type of Denial of Service attack where the attacker sends source packets with a spoofed source IP address that belongs to the host that is being targeted in the attack. Now if the router is enabled for sending IP directed broadcasts, these ICMP packets will be sent to all hosts in the network. Now imagine that there are 100 active hosts in that network and then imagine all of them simultaneously sending ICMP reply messages to the source IP address of the attacker which is nothing but the IP address of the victim. These hosts would starve the bandwidth of the network and would also deny legitimate users from accessing the victim host, thus creating a Denial of Service for the host being attacked. The diagram below explains this effectively.

The only way to stop this type of a Smurf attack is by filtering the traffic that comes in at the network border. One method is to ensure that IP Directed Broadcasts are disabled and another method would be to use an ACL (which would be more cumbersome but flexible and detailed)

The first thing we will do is find out the version of the IOS that the router is running by typing in the show version command

We see that the IOS is running version 12.4 which means that IP directed broadcasts are disabled on all interface by default. To enable or disable directed broadcasts, we first need to know of the interfaces our router has, we do that by running the command show ip interface brief and the output is as shown in the diagram below. We can see from the output below that interface FastEthernet0/0 is enabled and FastEthernet0/1 is disabled.

Now to see if directed broadcasts are enabled for any of the interfaces, we need to scroll through the running configuration to see if directed-broadcasts are enabled or disabled

Now since directed broadcasts are enabled on FastEthernet0/0, we will disable it. We do that by entering the no ip directed-broadcast command under the interface configuration as can be seen from the diagram below

So do we ever need to enable Directed broadcasts ?

Yes, there might be certain situations where directed broadcasts are required such as DHCP. For example, if you LAN where clients in a particular network, say 33.35.22.0/24 (Vlan 33) connect to a DHCP Server (IP address 55.35.76.1) in another VLAN (Vlan 55) to receive IP dynamic IP addresses. By default the border router of VLAN 33 would not allow the DHCP server in Vlan 55 to receive any DHCP requests as well as send a DHCP reply or Dynamic IP address to any of the clients within Vlan 33.

In addition, the ip helper-address interface configuration command would be required to tell your Cisco router to forward DHCP requests to a central DHCP server located at 55.35.76.1. This is accomplished by the commands below

Point all clients in Vlan 33 to the DHCP server in Vlan 55
R1(config)#int FastEthernet0/0
R1(config-if)#ip helper-address 55.35.76.1

Allow DHCP using this statement
R1(config)#ip forward-protocol udp bootpc

The following statements are to be included for all protocols that are not allowed
R1(config)#no ip forward-protocol udp domain
R1(config)#no ip forward-protocol udp echo

One often overlooked fact is that ip helper-address will actually forward many other UDP-based broadcasts to the address specified which might not be what you want. In such a situation, we would need to enable directed broadcasts but only specifically for the DHCP protocol (using the ip forward-protocol command and negating any other protocols that we do not want using the no ip forward-protocol command

To summarize, if we’ve got the latest gear (updated IOS versions), IP directed broadcasts would be disabled by default, but we need to know in what situations it needs to be enabled and for what protocols. In general few applications will make use of the IP directed broadcast as a concept, so it is should always be disabled by default and only enabled on specific interfaces for specific protocols and an alternative method is to configure access lists to permit or deny IP Directed-Broadcasts. This is not feasible however, in larger networks and enabling directed broadcasts on specific interfaces when needed for specific protocols is a better solution.

The are many special types of IP address that we seldom come across as they are only used in special cases. We will go through each of them in the overview below:

1. Limited Broadcast IP address

In this type of an IP address all the 32 bits of the IP address are set to 1′s. The address is 255.255.255.255. Routers never forward packets destined to this address because routers are by default designed to stop traditional broadcasts. This address is seen quite often in the routing tables of many systems.

This address is normally used when the host does not know its IP address (like when a Windows PC starts up and wants an IP address) like during an automated configuration process such as Boot Protocol (BOOTP) or DHCP because initially it does not know the IP address of the DHCP server. For example, with DHCP, a DHCP client must use the limited broadcast address for all traffic sent until the DHCP server acknowledges the IP address lease.

2. Loopback IP address

This IP address represents the local host and has the network part of the IP address as 127. A common loopback address is 127.0.0.1 and they range from 127.0.0.0 – 127.255.255.255. When a packet is destined to a loopback address whether via a ping or other utility it is actually addressed to the same local machine from where it originated. They are normally used to test connectivity of the Network Interface card of the host. These address do not leave the host nor will they traverse an external network interface.

A loopback address is also used to simulate a telnet or connection to an address of a device acting as a terminal server which is actually on the same host. This scenario is used for example, in Dynamips (Cisco Router Simulator) where a Microsoft Loopback address is created. This is not the same as the built in loopback of Windows (localhost or 127.x.x.x)

More on how a Microsoft loopback adapter can be created can be found here http://support.microsoft.com/kb/839013

3. Zeros IP address

The zeros IP address is normally 0.0.0.0 but actually range from 0.0.0.0 – 0.255.255.255. These address are most seen in system log files and are reserved for the default network. Sometimes while fingerprinting a target system using an ARP Scan, packets sent with a source of 0.0.0.0 are received. The response to these type of non-standard ARP packet differs depending on the operating system. So if you see packets with a source of 0.0.0.0 in the logs of a system, it implies that the system is the target of a fingerprint attack.

The detailed RFC 1700 concerning zeros IP address and Loopback address is available at the IETF website http://tools.ietf.org/html/rfc1700

4. Network Directed Broadcast IP address

This IP address is made of the host bits of all 1′s and the network part is the same as that of the network that it belongs to. An example of a network broadcast address for the classful network ID 140.101.0.0/16 is 140.101.255.255. Routers usually forward packets addressed to a network directed broadcast address. This type of a packet is sent when the entire network needs to receive the packet in a type of a broadcast which is very rarely the case and only a few applications might follow this kind of behaviour.

IP Directed broadcasts can be used to launch ICMP smurf attacks if hardware devices are not configured properly. They do this by using spoofed source IP addresses. For example, in Cisco devices prior to IOS 12.0 you would need to add the no ip directed-broadcast command or put in specific Access lists to deny this type of behaviour.

5. Subnet Directed Broadcast IP address

Here the host part of the address is represented by 1′s, while the subnet part of the address is the actual subnet. An example of a subnet directed broadcast address for the nonclassful network ID 140.101.46.0/24 is 140.101.46.255. For a classful network, there is no subnet broadcast address, only a network broadcast address. For a nonclassful network, there is no network broadcast address, only a subnet broadcast address.

This feature is useful in Wake up on LAN (WOL) implementations where a packet might want to be destined to an entire subnet if the IP addresses of devices in the subnet are not static and the source does not exactly know which destination to wake up. Apart from the WOL advantage, the disadvantage is that an attacker might launch a smurf attack to keep all other hosts in the subnet awake and respond to his ICMP packet.

6. All Subnets Directed Broadcast IP address

Both the host and the subnet part of the address bits are 1′s. The subnet mask of the network must be known wherever such an address is being used or it does not make any sense. An example of an all-subnets-directed broadcast address for the subnetted network ID 140.101.46.0/24 is 140.101.255.255. The all-subnets-directed broadcast is the network broadcast address of the original classful network ID.

7. Multicast IP addresses

These IP address are used when a needs to send a multicast to a group. IP multicast addresses are used for single-packet one-to-many delivery. The source host sends a packet with the destination from the class D range which signifies the group number and to route the packet the unicast routing table is used. Every node on the path of the source internetwork that has been configured with a multicast routing protocol and is therefore listening for multicast traffic receives and processes the packet. Unlike broadcast packets, routers forward IP multicast packets and only the hosts listening for the IP multicast traffic are disturbed. IP multicast addresses can be used only as the destination IP address.. They fall into the class D space and addresses in the range 224.0.0.0 – 239.255.255.255 are reserved for multicast.

I use the NETSTAT command frequently during my consulting assignments, however apart from the common options; I never delved into using all options of the command. My curiosity got the better of me and I went on to explore all the options of the NETSTAT command, so here goes

NETSTAT (network statistics) is a command-line utility that displays incoming & outgoing network connections, routing tables and various network interface statistics. The command has various parameters that can be used and is available on Unix, Linux and Windows based operating systems

Parameters of the netsat command on Windows based systems. Linux, Unix, BSD based systems have most of the parameters common with a few exceptions

A quick output of the help of the netstat command by appending /? gives us the following parameter options

A detailed explanation of each parameter with examples follows

-a   Displays all connections and listening ports

Running the netstat command with the -a parameter displays the of active connections as is displayed in the output below

C:\>netstat

Active Connections

  Proto  Local Address          Foreign Address              State
  TCP    host540:19208          microsoft.com:http    CLOSE_WAIT
  TCP    host540:19473          yahoo.com:http             ESTABLISHED

Starting with the protocol as the first column which could be either TCP/UDP based. The “host540:19208″ in the second column is a combination of the host name of the computer that the command is being run on which in this case is host540 and the local port number which is 19208. For well known services the protocol would be appended, for example host540:ntp but for services that are not well known the local port number would be mentioned

The foreign address is the website and the service that the connection was opened to which is microsoft.com:http in this case with port 80 (http) or web traffic and the connection state is CLOSE_WAIT

If the port is not yet established, the port number is shown as a * which would normally be seen in the output as “*:*”

-b   Displays the executable involved in creating each connection or listening port. In some cases well-known executables host multiple independent components, and in these cases the sequence of components involved in creating the connection or listening port is displayed.

C:\>netstat -b

Active Connections

Proto  Local Address          Foreign Address               State                        PID
  TCP    host540:19208       microsoft.com:http   CLOSE_WAIT       1148
  [iexplore.exe]

  TCP    host540:19473       yahoo.com:http             ESTABLISHED   7848
  [firefox.exe]

 

Additionally the process id of the process is also available. In this case the executable name is in [] at the bottom, on top is the component it called, and so forth until TCP/IP was reached. Note that this option can be time-consuming and will fail unless you have sufficient permissions

-e   Displays Ethernet statistics. This may be combined with the -s option
 

C:\>netstat -e
Interface Statistics

                                                    Received            Sent

Bytes                                              41185465        10381455
Unicast packets                      248414             246100
Non-unicast packets           48535               303
Discards                                        0                          0
Errors                                             0                          1
Unknown protocols             0

The number of packets, bytes, errors and other information received and sent is displayed. This may be useful when tracking network usage and can be combined with the -s option.  For example one may only want to see received packets of type http, which can be done using the -e and -s options

-n   Displays addresses and port numbers in numerical form

This is similar to the standard netstat option without any parameters, however dns queries are done to convert all addresses and port numbers into numerical form. For example, in the output microsoft.com would be listed as its corresponding ip address and http would be displayed as 80
 

-o   Displays the owning process ID associated with each connection

The process ID which owns the connection can be viewed and then other utilities like Sysinternals Process Explorer can be used to drill down and get further information. The process id is also displayed other options like -b as was mentioned above

-p proto   Shows connections for the protocol specified by proto; proto may be any of: TCP, UDP, TCPv6, or UDPv6.  If used with the -s option to display per-protocol statistics, proto may be any of IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6

This is one of the most useful options to view specific connections opened by the protocol specified. For example, if one wants to view the opened UDP connections, the command netstat -p proto UDP could be used

-r   Displays the routing table

Here all interfaces present in the system with their netmask, gateway, metric and name of the ethernet adapter is displayed. It gives you  a quick overview of ip addresses assigned and interface name, etc. Active as well as persistent routes are displayed

-s   Displays per-protocol statistics.  By default, statistics are shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6; the -p option may be used to specify a subset of the default

Another useful option to view statistics per protocol. For example, to view only UDP statistics, the following command could be used

C:\>netstat -s -p UDP

UDP Statistics for IPv4

  Datagrams Received    = 328852
  No Ports              = 16880
  Receive Errors        = 79
  Datagrams Sent        = 197475

Active Connections

  Proto  Local Address          Foreign Address        State

  The output above does not have any active UDP connections

-v            When used in conjunction with -b, will display sequence of components involved in creating the connection or listening port for all executables.

After we have used the -b option to drill down and find out that a component [iexplore.exe] as well as other components were involved in creating the connection, we can further use the -v option to order the components involved in creating the connection. This is useful when understanding the sequencing of connection requests by an arbitrary application. It gives you an internal listing of .dll’s being called in real time

interval      Redisplays selected statistics, pausing interval seconds between each display.  Press CTRL+C to stop redisplaying statistics.  If omitted, netstat will print the current configuration information once

This is a good way to auto refresh the screen with any output desired. I might want to see the output of the netstat -n every 5 seconds. I would then use the netstat -n 5 command

To summarize, netstat is an external tool that is built into Windows, Unix, Linux, etc and displays a lot of useful information