«

Hey all,

We wish to send IP Directed Broadcasts through our routers (for SMS
2003). This will be used for our Wake on Lan packet. We would like
to set up our interfaces to where the SMS server will be the only one
that the broadcast packets would be allowed to be sent through (to
prevent SMURF attacks). I've read that this was possible, but am not
sure how to proceed. Thanks in advance for an assistance!

In article < om>, writes:
> Hey all,
>
> We wish to send IP Directed Broadcasts through our routers (for SMS
> 2003). This will be used for our Wake on Lan packet. We would like
> to set up our interfaces to where the SMS server will be the only one
> that the broadcast packets would be allowed to be sent through (to
> prevent SMURF attacks). I've read that this was possible, but am not
> sure how to proceed. Thanks in advance for an assistance!

One way to proceed would be with ingress ACLs on all the interfaces
where you wish to defend against SMURF attempts inbound to the router.

A similar way to proceed would be with egress ACLS on all the interfaces
where you wish to permit directed broadcasts emitted from the router.

Say your SMS server is at 1.1.1.100 and you have user segments
at 2.2.2.x and 3.3.3.x where you wish to send directed broadcasts.

Then you could use ACLs like:

ip access-list no-smurf-except-from-SMS-server
permit ip host 1.1.1.100 host 2.2.2.255
permit ip host 1.1.1.100 host 3.3.3.255
deny ip any host 2.2.2.255
deny ip any host 3.3.3.255
permit ip any any

ip access-list no-smurf-at-all
deny ip any host 2.2.2.255
deny ip any host 3.3.3.255
permit ip any any


If you were doing ingress ACLs then you'd put the following on the
interface facing the SMS server:

interface Fa0/0
ip address 1.1.1.1 255.255.255.0
ip access-group no-smurf-except-from-SMS-server in

and the following on each other interface

interface Fa0/1
ip address <whatever>
ip access-group no-smurf-at-all in


If you were doing egress ACLs then you'd put the following on your
2.2.2.x and 3.3.3.x interfaces:

interface Fa0/0
ip address 2.2.2.1 255.255.255.0
ip access-group no-smurf-except-from-SMS-server out
ip directed-broadcast


Of course, you should still make sure that you enable [or disable]
"ip directed-broadcast" appropriately on all the interfaces adjacent
[or not adjacent] to user subnets where you need the broadcasts to
work.

Here is how you control who can do directed broadcast:

access-list 100 remark Wake on LAN
access-list 100 permit 10.1.2.1

interface fastethernet 0/0
ip directed-broadcast 100

On every interface that has PC's that you want to wake you put "ip
directed-broadcast 100". This is not required on other interfaces (such as
WAN). ACL 100 should list the IP's of the SMS servers (the servers sending
the directed broadcasts.)

Scott
<> wrote in message
news:...
> In article < om>,
> writes:
>> Hey all,
>>
>> We wish to send IP Directed Broadcasts through our routers (for SMS
>> 2003). This will be used for our Wake on Lan packet. We would like
>> to set up our interfaces to where the SMS server will be the only one
>> that the broadcast packets would be allowed to be sent through (to
>> prevent SMURF attacks). I've read that this was possible, but am not
>> sure how to proceed. Thanks in advance for an assistance!
>
> One way to proceed would be with ingress ACLs on all the interfaces
> where you wish to defend against SMURF attempts inbound to the router.
>
> A similar way to proceed would be with egress ACLS on all the interfaces
> where you wish to permit directed broadcasts emitted from the router.
>
> Say your SMS server is at 1.1.1.100 and you have user segments
> at 2.2.2.x and 3.3.3.x where you wish to send directed broadcasts.
>
> Then you could use ACLs like:
>
> ip access-list no-smurf-except-from-SMS-server
> permit ip host 1.1.1.100 host 2.2.2.255
> permit ip host 1.1.1.100 host 3.3.3.255
> deny ip any host 2.2.2.255
> deny ip any host 3.3.3.255
> permit ip any any
>
> ip access-list no-smurf-at-all
> deny ip any host 2.2.2.255
> deny ip any host 3.3.3.255
> permit ip any any
>
>
> If you were doing ingress ACLs then you'd put the following on the
> interface facing the SMS server:
>
> interface Fa0/0
> ip address 1.1.1.1 255.255.255.0
> ip access-group no-smurf-except-from-SMS-server in
>
> and the following on each other interface
>
> interface Fa0/1
> ip address <whatever>
> ip access-group no-smurf-at-all in
>
>
> If you were doing egress ACLs then you'd put the following on your
> 2.2.2.x and 3.3.3.x interfaces:
>
> interface Fa0/0
> ip address 2.2.2.1 255.255.255.0
> ip access-group no-smurf-except-from-SMS-server out
> ip directed-broadcast
>
>
> Of course, you should still make sure that you enable [or disable]
> "ip directed-broadcast" appropriately on all the interfaces adjacent
> [or not adjacent] to user subnets where you need the broadcasts to
> work.

On Feb 28, 5:06 pm, "Thrill5" <nos...@somewhere.com> wrote:
> Here is how you control who can do directed broadcast:
>
> access-list 100 remark Wake on LAN
> access-list 100 permit 10.1.2.1
>
> interface fastethernet 0/0
> ip directed-broadcast 100
>
> On every interface that has PC's that you want to wake you put "ip
> directed-broadcast 100". This is not required on other interfaces (such as
> WAN). ACL 100 should list the IP's of the SMS servers (the servers sending
> the directed broadcasts.)
>
> Scott<bri...@encompasserve.org> wrote in message
>
> news:...
>
> > In article <1172504565.896231.88...@q2g2000cwa.googlegroups.c om>,
> > joseph.m.c...@gmail.com writes:
> >> Hey all,
>
> >> We wish to send IP Directed Broadcasts through our routers (for SMS
> >> 2003). This will be used for our Wake on Lan packet. We would like
> >> to set up our interfaces to where the SMS server will be the only one
> >> that the broadcast packets would be allowed to be sent through (to
> >> prevent SMURF attacks). I've read that this was possible, but am not
> >> sure how to proceed. Thanks in advance for an assistance!
>
> > One way to proceed would be with ingress ACLs on all the interfaces
> > where you wish to defend against SMURF attempts inbound to the router.
>
> > A similar way to proceed would be with egress ACLS on all the interfaces
> > where you wish to permit directed broadcasts emitted from the router.
>
> > Say your SMS server is at 1.1.1.100 and you have user segments
> > at 2.2.2.x and 3.3.3.x where you wish to send directed broadcasts.
>
> > Then you could use ACLs like:
>
> > ip access-list no-smurf-except-from-SMS-server
> > permit ip host 1.1.1.100 host 2.2.2.255
> > permit ip host 1.1.1.100 host 3.3.3.255
> > deny ip any host 2.2.2.255
> > deny ip any host 3.3.3.255
> > permit ip any any
>
> > ip access-list no-smurf-at-all
> > deny ip any host 2.2.2.255
> > deny ip any host 3.3.3.255
> > permit ip any any
>
> > If you were doing ingress ACLs then you'd put the following on the
> > interface facing the SMS server:
>
> > interface Fa0/0
> > ip address 1.1.1.1 255.255.255.0
> > ip access-group no-smurf-except-from-SMS-server in
>
> > and the following on each other interface
>
> > interface Fa0/1
> > ip address <whatever>
> > ip access-group no-smurf-at-all in
>
> > If you were doing egress ACLs then you'd put the following on your
> > 2.2.2.x and 3.3.3.x interfaces:
>
> > interface Fa0/0
> > ip address 2.2.2.1 255.255.255.0
> > ip access-group no-smurf-except-from-SMS-server out
> > ip directed-broadcast
>
> > Of course, you should still make sure that you enable [or disable]
> > "ip directed-broadcast" appropriately on all the interfaces adjacent
> > [or not adjacent] to user subnets where you need the broadcasts to
> > work.

I've been through this exact scenario, where we needed to forward SMS
broadcasts on port 20000. The easiest way? Just do this to every
layer-3 device in your network:

ip forward-protocol udp 20000

Brian