Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Wake on LAN - ip directed broadcast

We're looking at deploying a Wake-on-LAN solution for software distribution. The first alternative to distribute the 'magic packet' is enabling 'ip directed-broadcast' in each router, which presents a security risk (man in the middle attack, ARP table poisoning), the second alternative is to extend ARP aging time in the routers which presents the same security risk.

My question is, how can be this security risk reduced or minimized (options I've heard of: 'dynamic ARP inspection' in the switches, ACL on the router associated with the ip directed-broadcast command allowing only software distribution servers to convert directed-broadcast packets into unicast packets). I have a concern extending ARP aging time and its impact with current or future application.

I'll appreciated any comment. Thanks.


Re: Wake on LAN - ip directed broadcast

IP directed broadcasts are used in the popular "smurf" denial-of-service attack and derivatives thereof. An IP directed broadcast is a datagram that is sent to the broadcast address of a subnet to which the sending machine is not directly attached. The directed broadcast is routed through the network as a unicast packet until it arrives at the target subnet, where it is converted into a link-layer broadcast. Because of the nature of the IP addressing architecture, only the last router in the chain, the one that is connected directly to the target subnet, can conclusively identify a directed broadcast. Directed broadcasts are occasionally used for legitimate purposes, but such use is not common outside the financial services industry. In a "smurf" attack, the attacker sends Internet Control Message Protocol (ICMP) echo requests from a falsified source address to a directed broadcast address, causing all the hosts on the target subnet to send replies to the falsified source. By sending a continuous stream of such requests, the attacker can create a much larger stream of replies, which can completely inundate the host whose

address is being falsified. If a Cisco interface is configured with the no ip directed-broadcast command, directed broadcasts

that would otherwise expand into link-layer broadcasts at that interface are dropped instead.

If you are behind a firewall and are confident in your security policy, then I don't see this as being a problem.

CreatePlease login to create content