An IP Directed broadcast gives the sender the capability to send a packet and broadcast it to the entire network. An example of a network broadcast address for the classful network ID 140.101.0.0/16 is 140.101.255.255. When Cisco introduced this command in IOS version 10.0, they did not realize the ramifications of enabling directed broadcasts which enabled users to launch DOS attacks like the ICMP Smurf attack. In version 12.0 of the IOS, they made amends by changing the default behavior of dropping all directed broadcasts by default.

To understand what attackers can do if IP directed broadcasts are left enabled, we need to understand what a Smurf attack is and how it works

SMURF Attacks

These are a type of Denial of Service attack where the attacker sends source packets with a spoofed source IP address that belongs to the host that is being targeted in the attack. Now if the router is enabled for sending IP directed broadcasts, these ICMP packets will be sent to all hosts in the network. Now imagine that there are 100 active hosts in that network and then imagine all of them simultaneously sending ICMP reply messages to the source IP address of the attacker which is nothing but the IP address of the victim. These hosts would starve the bandwidth of the network and would also deny legitimate users from accessing the victim host, thus creating a Denial of Service for the host being attacked. The diagram below explains this effectively.

The only way to stop this type of a Smurf attack is by filtering the traffic that comes in at the network border. One method is to ensure that IP Directed Broadcasts are disabled and another method would be to use an ACL (which would be more cumbersome but flexible and detailed)

The first thing we will do is find out the version of the IOS that the router is running by typing in the show version command

We see that the IOS is running version 12.4 which means that IP directed broadcasts are disabled on all interface by default. To enable or disable directed broadcasts, we first need to know of the interfaces our router has, we do that by running the command show ip interface brief and the output is as shown in the diagram below. We can see from the output below that interface FastEthernet0/0 is enabled and FastEthernet0/1 is disabled.

Now to see if directed broadcasts are enabled for any of the interfaces, we need to scroll through the running configuration to see if directed-broadcasts are enabled or disabled

Now since directed broadcasts are enabled on FastEthernet0/0, we will disable it. We do that by entering the no ip directed-broadcast command under the interface configuration as can be seen from the diagram below

So do we ever need to enable Directed broadcasts ?

Yes, there might be certain situations where directed broadcasts are required such as DHCP. For example, if you LAN where clients in a particular network, say 33.35.22.0/24 (Vlan 33) connect to a DHCP Server (IP address 55.35.76.1) in another VLAN (Vlan 55) to receive IP dynamic IP addresses. By default the border router of VLAN 33 would not allow the DHCP server in Vlan 55 to receive any DHCP requests as well as send a DHCP reply or Dynamic IP address to any of the clients within Vlan 33.

In addition, the ip helper-address interface configuration command would be required to tell your Cisco router to forward DHCP requests to a central DHCP server located at 55.35.76.1. This is accomplished by the commands below

Point all clients in Vlan 33 to the DHCP server in Vlan 55
R1(config)#int FastEthernet0/0
R1(config-if)#ip helper-address 55.35.76.1

Allow DHCP using this statement
R1(config)#ip forward-protocol udp bootpc

The following statements are to be included for all protocols that are not allowed
R1(config)#no ip forward-protocol udp domain
R1(config)#no ip forward-protocol udp echo

One often overlooked fact is that ip helper-address will actually forward many other UDP-based broadcasts to the address specified which might not be what you want. In such a situation, we would need to enable directed broadcasts but only specifically for the DHCP protocol (using the ip forward-protocol command and negating any other protocols that we do not want using the no ip forward-protocol command

To summarize, if we’ve got the latest gear (updated IOS versions), IP directed broadcasts would be disabled by default, but we need to know in what situations it needs to be enabled and for what protocols. In general few applications will make use of the IP directed broadcast as a concept, so it is should always be disabled by default and only enabled on specific interfaces for specific protocols and an alternative method is to configure access lists to permit or deny IP Directed-Broadcasts. This is not feasible however, in larger networks and enabling directed broadcasts on specific interfaces when needed for specific protocols is a better solution.

The are many special types of IP address that we seldom come across as they are only used in special cases. We will go through each of them in the overview below:

1. Limited Broadcast IP address

In this type of an IP address all the 32 bits of the IP address are set to 1′s. The address is 255.255.255.255. Routers never forward packets destined to this address because routers are by default designed to stop traditional broadcasts. This address is seen quite often in the routing tables of many systems.

This address is normally used when the host does not know its IP address (like when a Windows PC starts up and wants an IP address) like during an automated configuration process such as Boot Protocol (BOOTP) or DHCP because initially it does not know the IP address of the DHCP server. For example, with DHCP, a DHCP client must use the limited broadcast address for all traffic sent until the DHCP server acknowledges the IP address lease.

2. Loopback IP address

This IP address represents the local host and has the network part of the IP address as 127. A common loopback address is 127.0.0.1 and they range from 127.0.0.0 – 127.255.255.255. When a packet is destined to a loopback address whether via a ping or other utility it is actually addressed to the same local machine from where it originated. They are normally used to test connectivity of the Network Interface card of the host. These address do not leave the host nor will they traverse an external network interface.

A loopback address is also used to simulate a telnet or connection to an address of a device acting as a terminal server which is actually on the same host. This scenario is used for example, in Dynamips (Cisco Router Simulator) where a Microsoft Loopback address is created. This is not the same as the built in loopback of Windows (localhost or 127.x.x.x)

More on how a Microsoft loopback adapter can be created can be found here http://support.microsoft.com/kb/839013

3. Zeros IP address

The zeros IP address is normally 0.0.0.0 but actually range from 0.0.0.0 – 0.255.255.255. These address are most seen in system log files and are reserved for the default network. Sometimes while fingerprinting a target system using an ARP Scan, packets sent with a source of 0.0.0.0 are received. The response to these type of non-standard ARP packet differs depending on the operating system. So if you see packets with a source of 0.0.0.0 in the logs of a system, it implies that the system is the target of a fingerprint attack.

The detailed RFC 1700 concerning zeros IP address and Loopback address is available at the IETF website http://tools.ietf.org/html/rfc1700

4. Network Directed Broadcast IP address

This IP address is made of the host bits of all 1′s and the network part is the same as that of the network that it belongs to. An example of a network broadcast address for the classful network ID 140.101.0.0/16 is 140.101.255.255. Routers usually forward packets addressed to a network directed broadcast address. This type of a packet is sent when the entire network needs to receive the packet in a type of a broadcast which is very rarely the case and only a few applications might follow this kind of behaviour.

IP Directed broadcasts can be used to launch ICMP smurf attacks if hardware devices are not configured properly. They do this by using spoofed source IP addresses. For example, in Cisco devices prior to IOS 12.0 you would need to add the no ip directed-broadcast command or put in specific Access lists to deny this type of behaviour.

5. Subnet Directed Broadcast IP address

Here the host part of the address is represented by 1′s, while the subnet part of the address is the actual subnet. An example of a subnet directed broadcast address for the nonclassful network ID 140.101.46.0/24 is 140.101.46.255. For a classful network, there is no subnet broadcast address, only a network broadcast address. For a nonclassful network, there is no network broadcast address, only a subnet broadcast address.

This feature is useful in Wake up on LAN (WOL) implementations where a packet might want to be destined to an entire subnet if the IP addresses of devices in the subnet are not static and the source does not exactly know which destination to wake up. Apart from the WOL advantage, the disadvantage is that an attacker might launch a smurf attack to keep all other hosts in the subnet awake and respond to his ICMP packet.

6. All Subnets Directed Broadcast IP address

Both the host and the subnet part of the address bits are 1′s. The subnet mask of the network must be known wherever such an address is being used or it does not make any sense. An example of an all-subnets-directed broadcast address for the subnetted network ID 140.101.46.0/24 is 140.101.255.255. The all-subnets-directed broadcast is the network broadcast address of the original classful network ID.

7. Multicast IP addresses

These IP address are used when a needs to send a multicast to a group. IP multicast addresses are used for single-packet one-to-many delivery. The source host sends a packet with the destination from the class D range which signifies the group number and to route the packet the unicast routing table is used. Every node on the path of the source internetwork that has been configured with a multicast routing protocol and is therefore listening for multicast traffic receives and processes the packet. Unlike broadcast packets, routers forward IP multicast packets and only the hosts listening for the IP multicast traffic are disturbed. IP multicast addresses can be used only as the destination IP address.. They fall into the class D space and addresses in the range 224.0.0.0 – 239.255.255.255 are reserved for multicast.