3.2.4 Disable IP Directed Broadcasts on all Layer 3 Interfaces

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

An IP directed broadcast is an IP packet whose destination address is a valid broadcast address for an IP subnet, but which originates from a node that is not itself a part of that destination subnet.

Rationale:

Directed broadcasts can be abused in several ways:

a volumetric DOS attack against the NX-OS switch itself, the sent volume of data can be much larger than the received request

a volumetric DOS attack against a third party (often called a 'smurf attack')

a single-packet reconnaissance of a local subnet

We recommend that you disable the ip directed-broadcast command on any interface where they are not required for some reason.

Solution

switch(config-if)# no ip directed-broadcast

See Also

https://workbench.cisecurity.org/benchmarks/6524