I don't want this forum to degrade into a hacker's den, but as an Academy instructor I'm always interested in the way things work...
So, recently I have looked a bit more into network attacks and picked out SMURF as a good example of a DDoS attack.
Replicating this in my Academy lab with 2 LANs and a couple of 2600 routers proved difficult however:
As far as I understand it, SMURF relies on the multiplication of ICMP replies targeted at one partiular host. That multiplication is achieved by spoofing that machine's IP address in the IMCP request which is sent by broadcast to many intermediate "attack hosts".
Now on all the forums I read, the best mitigation for this is to disable broadcast forwarding on the routers ("no ip directed-broadcast" is default on all IOS after 12.1).
My question (because one of my students asked me): How can this possibly be happening on the internet? Why do some internet backbone routers still forward directed broadcasts? What is their legitimate use? CCNA teaches us that routers break up broadcast domains. So that's not quite true then??
Has anyone ever experimented with this? Any insight would be greatly appreciated.
Frank Dudek CCNP