Directed broadcasts are packets that are sent from one system on a foreign network to all
systems on another network. Directed broadcasts are the basis for the "smurf" attack where
forged ICMP packets are sent from a host to the broadcast address of a remote network. The
source address in the ICMP packets is forged to contain the address of the victim host. The
systems on the remote network receive the ICMP packet and then reply back to the victim host
thereby flooding the host with traffic. Any Solaris system that has IP forwarding enabled will
forward direct broadcasts as well.
When packets travel between one host and another on a network, their path is determined by
either dedicated routers or hosts providing routing services. However, IP has the ability to
specify the route between the source and destination. This ability comes in one of two forms:
strict and loose. With a strict source route, the sender specifies the address of every
intermediate hop between it and the destination. With loose source routing, the sender only
specifies some of the intermediate hops leaving routers free to choose any path between the
two systems. Source routing may be used to bypass security measures in the network topology.
There is no reason to see source-routed packets in a network.
A directed broadcast address allows the network administrator to address every host on a
subnet. By carefully selecting a large, densely populated subnet, an attacker can generate
enough traffic from the subnet hosts responding to the ping packets to consume a lot of network
and host resources with a few spoofed packets.
This type of attack came to the public's attention when a number of large-scale attacks on
Internet service providers and IRC servers occurred during December 1997 and January 1998. A
similar attack uses the UDP echo service instead of ICMP echo packets to generate traffic. This is
even more devastating because the target will send back ICMP unreachable messages, thus
contributing to the traffic. It is also possible, in certain situations, to create loops between the
echo and chargen services in the relay hosts and the victim host.
Very few applications use directed broadcast addresses. Some of these are network management
and mapping tools and, in some instances, Microsoft's network browsing applications. It is
recommended to disable translation of layer 3 broadcasts into layer 2 broadcasts at your router.
One can also configure hosts not to respond to broadcast ping packets or to ignore ping packets
altogether. The echo and chargen services should also be disabled.
Summary: A directed broadcast is a unicast datagram from a system on a remote network
addressed to all systems on another network. Once the datagram reaches the router connected
to the intended network, the datagram is forwarded to all systems as a data-link layer
broadcast