In order to prevent your site from "bouncing" smurf/fraggle packets, you must turn off "directed broadcasts" on the router leading to the target subnet. A directed broadcast looks something like 192.0.2.255, which would tell the router leading to the 192.0.2.x subnet to broadcast the packet to all devices on that subnet.
- Cisco
- Use the command "no ip directed-broadcast"
- Proteon
- Configure "disable directed-broadcast"
- Nortel/Bay
- Configure an incorrect static ARP address for broadcast address
- WinNT
- Configure an incorrect static ARP address for the broadcast address. Example: arp -s 192.0.2.255 00-00-00-00-00-00
- Linux
- Configure an incorrect static ARP address for the broadcast address. Example: arp -s 192.0.2.255 00:00:00:00:00:00
If using a host as a router, then the simplest method is to create a static mapping for the ARP table that forces packets directed at the broadcast address to be sent to a non-existent MAC address (such as 000000000000).
Most routers today allow for firewall-style packet filters. These can also be used to deny access to the broadcast address.
Another defense would be to disable response by hosts. According to the host requirements RFC, an ICMP Echo Request sent to the a broadcast address MAY be discarded.
- WinNT, Win98, Win2k
- By default, these do not respond to pings sent to the broadcast address.
- FreeBSD
- After 2.2.5, it does not respond
- NetBSD
- sysctl -w net.inet.ip.directed-broadcast=0
- AIX 4.x
- no -o bcastping=0 # disable bcast ping responses (default)
- Solaris
- Add to /etc/rc2.d/S69inet.startup the line ndd -set /dev/ip ip_respond_to_echo_broadcast 0
- ipfw
- ipfwadm -I -a deny -P icmp -D 192.0.2.255 -S 0/0 0 8
