Directed Broadcast
Subnet Review
10.1.1.0 /24
- Network 10.1.1.0
- First host 10.1.1.1
- Last host 10.1.1.254
- Directed Broadcast 10.1.1.255
You can send an ICMP request to 10.1.1.255 and say hey! who is awake in this network?
- This can output many many replies
- This is an amplification attack
- For a smurf attack its goal is amplification
Classic Smurf Attack
- DDoS can leverage amplification
- 1 ICMP echo request to 10.1.1.255 could generate 254 replies
- 254 : 1 return on investment
- 10.1.255.255 (65,000:1)
- 10.255.255.255 (16M:1)
no IP directed broadcast
- Default behavior
- Official mechanism to send a directed broadcast
- Attackers where using it more than regular users so it was disabled.
- Directed broadcast 10.1.1.255
- Directed, it can actually be routed
- Regular broadcast: 255.255.255.255
- Never intended to be routed
- Alternatively could be filtered by ACL (Access Control List)
- DDoS prevention
- Turn on and prohibit by using an extended ACL and only give access to particular users.
- Routers create separate broadcast domains
/CAP/Network+/Visual%20Aids/Pasted%20image%2020250304165811.png)