Home page logo
/

bugtraq logo Bugtraq mailing list archives

ICMP ECHO_REQUEST on BROADCAST--HOWTO Filter!
From: mikedoug () TEXAS NET (Michael Douglass)
Date: Mon, 21 Jul 1997 15:00:53 -0500


Since so many of you have emailed me privately asking for this information,
I sent the request off to my Cisco guy (ed) and let him write up a howto
on the whole issue of filtering broadcast packets.

-----Forwarded message from Edward Henigin <ed () texas net>-----

From: Edward Henigin <ed () texas net>
To: Michael Douglass <mikedoug () texas net>
Subject: broadcast filtering HOWTO


        We've had some requests for examples of how to filter broadcast
traffic.  As with a lot of things in the computer world, "there is more
than one way to do it."

        If your network is composed *only* of /24 allocations (ie you're
not supernetting or subnetting anywhere on class C's, or all your class A/B
networks are subnetted as /24's), then you can do all the filtering with
one filter on your *inbound* Internet interfaces.

        (note that you should filter both the all ones and the all zeros
addresses, as they are both recognized by some IP stacks.)

! filter broadcast packets from the outside world into our network
access-list 109 deny ip any 0.0.0.255 255.255.255.0
access-list 109 deny ip any 0.0.0.0   255.255.255.0
access-list 109 permit ip any any
!
in se 0
 ip access-group 109 in
!

        Another way to do it is to only filter to the broadcast addresses
*outgoing* on your directly connected interfaces.  For example, if your
router has an ethernet interface with half a dozen as5200's or Max 4004's
on it, and your ethernet interface had address 192.168.3.1/24, then
you'd do this:

! filter broadcast packets from anywhere into my directly attached
! terminal server network
access-list 110 deny ip any host 192.168.3.255
access-list 110 deny ip any host 192.168.3.0
access-list 110 permit ip any any
!
in e 0
 ip access-group 110 out
!

        I've just been made aware of a command for ciscos,
'ip directed-broadcast'.  Specifically, the 'no' form of the command
will no convert broadcast packets (all ones, I think) into broadcast
ethernet packets, on the final, directly connected interface.  From
cisco's online documentation:

        To enable the translation of directed broadcast to physical
        broadcasts, use the ip directed-broadcast interface
        configuration command. To disable this function, use the no
        form of this command.

        What I take this to mean is that 'no ip directed-broadcast'
        will prevent the mapping of broadcast packets (I don't know
what your cisco will guess 'broadcast packets' are) to broadcast
ethernet framing.  I think this will help... although I don't know all
the ramifications, because I haven't used it, and don't know anyone who
has.

        And a final note: there are very few applications which depend
on the routing of broadcast packets.  You may know of one such
application; if it's a popular one that you think lots of people are
using, speak up.  So you should feel safe in blocking broadcast traffic
in your network.  Popular applications which depend on *non*-routed
broadcast traffic include RIP and netbios (Microsoft's networking
protocol).  Putting filter access-lists on your interfaces should
not interfere with non-routed broadcast traffic.


        Don't take anything I say as word of God.  Test it yourselves,
so that you understand what you are doing.

        I hope this helps,

        Ed Henigin
        Engineering Director, Texas Networking, Inc.
        ed () texas net

-----End of forwarded message-----

--
Michael Douglass
Texas Networking, Inc.

   <de> 'hail sparc, full of rammage'
   <de> 'the kernel is with thee'
   <de> 'blessed art thou amongst processors'



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault