| VID |
29159 |
| Severity |
30 |
| Port |
22 |
| Protocol |
TCP |
| Class |
CISCO |
| Detailed Description |
The CISCO IOS system does not forbid Directed-broadcast. Router interfaces that allow directed broadcasts can be used for "smurf" attacks. IP directed broadcast packets traverse the network in the same way as unicast IP packets until they reach the destination subnet. When they reach the destination subnet and IP directed broadcast is enabled on the device, the device translates ("explodes") the IP directed broadcast packet into a broadcast that floods the packet on the target subnet. All hosts on the target subnet receive the IP directed broadcast packet.
* Platforms Affected:
CISCO IOS |
| Recommendation |
Explicitly disallow IP directed broadcast on each interface as follows :
Router# config terminal
Router(config)# interface fastethernet 0/1
Router(config-if)# no ip directed-broadcast.
or set access-list as follows to prevent Smurf Attack
Router# config terminal
Router(config)# acces-list 108 deny icmp any host 1.1.1.255
(1.1.1.0/24's broadcast address: 1.1.1.255 ICMP block)
Router(config)# access-list 108 deny icmp any host 1.1.1.0
(1.1.1.0/24's network address: 1.1.1.0 ICMP block) |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
