Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

vulnerabilities and SMURF


I don't want this forum to degrade into a hacker's den, but as an Academy instructor I'm always interested in the way things work...

So, recently I have looked a bit more into network attacks and picked out SMURF as a good example of a DDoS attack.

Replicating this in my Academy lab with 2 LANs and a couple of 2600 routers proved difficult however:

As far as I understand it, SMURF relies on the multiplication of ICMP replies targeted at one partiular host. That multiplication is achieved by spoofing that machine's IP address in the IMCP request which is sent by broadcast to many intermediate "attack hosts".

Now on all the forums I read, the best mitigation for this is to disable broadcast forwarding on the routers ("no ip directed-broadcast" is default on all IOS after 12.1).

My question (because one of my students asked me): How can this possibly be happening on the internet? Why do some internet backbone routers still forward directed broadcasts? What is their legitimate use? CCNA teaches us that routers break up broadcast domains. So that's not quite true then??

Has anyone ever experimented with this? Any insight would be greatly appreciated.


Frank Dudek CCNP


Re: vulnerabilities and SMURF

I don't believe SMURF attacks are very common these days. There is always going to be old/misconfigured routers somewhere on the Internet though, so I suppose they still happen.

"Why do some internet backbone routers still forward directed broadcasts?"

I don't see how a backbone router could know that the destination address is a broadcast address.

"CNA teaches us that routers break up broadcast domains."

that is true, but I don't see how that is relevant here. The router has received a packet with a destination IP that is a broadcast address on another interface.

CreatePlease login to create content