Bugtraq mailing list archives
ICMP ECHO_REQUEST on BROADCAST--HOWTO Filter!
From: mikedoug () TEXAS NET (Michael Douglass)
Date: Mon, 21 Jul 1997 15:00:53 -0500
Since so many of you have emailed me privately asking for this information, I sent the request off to my Cisco guy (ed) and let him write up a howto on the whole issue of filtering broadcast packets. -----Forwarded message from Edward Henigin <ed () texas net>----- From: Edward Henigin <ed () texas net> To: Michael Douglass <mikedoug () texas net> Subject: broadcast filtering HOWTO We've had some requests for examples of how to filter broadcast traffic. As with a lot of things in the computer world, "there is more than one way to do it." If your network is composed *only* of /24 allocations (ie you're not supernetting or subnetting anywhere on class C's, or all your class A/B networks are subnetted as /24's), then you can do all the filtering with one filter on your *inbound* Internet interfaces. (note that you should filter both the all ones and the all zeros addresses, as they are both recognized by some IP stacks.) ! filter broadcast packets from the outside world into our network access-list 109 deny ip any 0.0.0.255 255.255.255.0 access-list 109 deny ip any 0.0.0.0 255.255.255.0 access-list 109 permit ip any any ! in se 0 ip access-group 109 in ! Another way to do it is to only filter to the broadcast addresses *outgoing* on your directly connected interfaces. For example, if your router has an ethernet interface with half a dozen as5200's or Max 4004's on it, and your ethernet interface had address 192.168.3.1/24, then you'd do this: ! filter broadcast packets from anywhere into my directly attached ! terminal server network access-list 110 deny ip any host 192.168.3.255 access-list 110 deny ip any host 192.168.3.0 access-list 110 permit ip any any ! in e 0 ip access-group 110 out ! I've just been made aware of a command for ciscos, 'ip directed-broadcast'. Specifically, the 'no' form of the command will no convert broadcast packets (all ones, I think) into broadcast ethernet packets, on the final, directly connected interface. From cisco's online documentation: To enable the translation of directed broadcast to physical broadcasts, use the ip directed-broadcast interface configuration command. To disable this function, use the no form of this command. What I take this to mean is that 'no ip directed-broadcast' will prevent the mapping of broadcast packets (I don't know what your cisco will guess 'broadcast packets' are) to broadcast ethernet framing. I think this will help... although I don't know all the ramifications, because I haven't used it, and don't know anyone who has. And a final note: there are very few applications which depend on the routing of broadcast packets. You may know of one such application; if it's a popular one that you think lots of people are using, speak up. So you should feel safe in blocking broadcast traffic in your network. Popular applications which depend on *non*-routed broadcast traffic include RIP and netbios (Microsoft's networking protocol). Putting filter access-lists on your interfaces should not interfere with non-routed broadcast traffic. Don't take anything I say as word of God. Test it yourselves, so that you understand what you are doing. I hope this helps, Ed Henigin Engineering Director, Texas Networking, Inc. ed () texas net -----End of forwarded message----- -- Michael Douglass Texas Networking, Inc. <de> 'hail sparc, full of rammage' <de> 'the kernel is with thee' <de> 'blessed art thou amongst processors'
Current thread:
- Solaris ld.so possibly vulnerable? Dan Fleisher (Jul 18)
- Re: Solaris ld.so possibly vulnerable? Illuminatus Primus (Jul 20)
- AIX xlock (Exploit) Bryan P. Self (Jul 20)
- Re: Solaris ld.so possibly vulnerable? Adam Morrison (Jul 21)
- Re: Solaris ld.so possibly vulnerable? Casper Dik (Jul 22)
- ICMP ECHO_REQUEST on BROADCAST--HOWTO Filter! Michael Douglass (Jul 21)
- Re: ICMP ECHO_REQUEST on BROADCAST--HOWTO Filter! Mfm (Jul 29)
- Re: ICMP ECHO_REQUEST on BROADCAST--HOWTO Filter! Corey Lindsly (Jul 29)
- portability fixes to mSQL patches (fwd) David Sacerdote (Jul 29)
- Re: ICMP ECHO_REQUEST on BROADCAST--HOWTO Filter! Mfm (Jul 29)