13 Replies Latest reply: Mar 17, 2011 8:32 AM by Scott Morris - CCDE/4xCCIE/2xJNCIE RSS

    Pinging a broadcast address

    Steven Williams

      What happens if you ping a broadcast IP address?

        • 1. Re: Pinging a broadcast address
          Conwyn

          Hi Hollywood

           

          If in enabled mode everybody replies but not always.

           

          Regards Conwyn

          • 2. Re: Pinging a broadcast address
            Steven Williams

            I guess I am asking that if Client A connected to a switch pings a broadcast address does the switch take that ICMP and push it out all ports except the one it was received on?

            • 3. Re: Pinging a broadcast address
              Brian

              Are you talking a directed broadcast (ie 192.168.1.255) or local broadcast (ie 255.255.255.255)?   There is a big difference.

               

              Try a search on CLN, we talked about this before I am sure you can find it.

               

              HTH

               

              • 4. Re: Pinging a broadcast address
                Steven Williams

                Directed Broadcast. I am thinking if the switch does forward that ICMP out all ports, that could cause havok on the network.

                • 5. Re: Pinging a broadcast address
                  Brian

                  Are you talking layer 2 or layer 3 switch?  A layer 2 switch does nothing with the ip directed broadcast.  Take this example,  I am on LAN 1 (192.168.1.0/24) and ping the directed broadcast address 192.168.1.255.

                   

                  Host 1 <--> SW1 <--> R1 <--> R2 <--> SW2 <--> Host 2

                   

                  Host 1 pings 192.168.1.255, assuming that the GW IP has already been resolved the packet gets forwarded to the router R1.  assuming that "ip directed broadcast" is enabled on R1, R1 sees that the destination is "local" and converts the directed broadcast 192.168.1.255 --> 255.255.255.255 and sends back out the LAN 1 interface.  All hosts will respond.

                   

                  Host 2 is on LAN 2 (192.168.2.0/24).  Host 1 pings the directed broadcast 192.168.2.255.  Assuming that "ip directed broadcast" is enabled on R1 and R2.  The packet goes from Host 1 to R1. R1 routes the packet to R2.  R2 sees that the destination is "local" and converts the directed broadcast 192.168.2.255 --> 255.255.255.255 and sends ont the LAN 2 interface.  All hosts on LAN 2 respond.

                   

                  HTH

                   

                  • 6. Re: Pinging a broadcast address
                    Steven Williams

                    Ok so my statement stands...if I have a local client pinging the broadcast address of their specific subnet, it will hit the default gateway, turn around, and broadcast to all clients. So this could lead to a broadcast storm I assume?

                    • 7. Re: Pinging a broadcast address
                      Scott Morris - CCDE/4xCCIE/2xJNCIE

                      Why would it hit your gateway?  If you are local the subnet, you will actually self-translate that into 255.255.255.255.  (debug ip packet on a router will show you that)

                       

                      If you try it to a different subnet, you'll need "ip directed-broadcast" enabled on the interface belonging to the subnet you're trying to send to.  Otherwise, since IOS 12.0, those subnet pings have been blocked from a routing point of view. (smurf attack)

                       

                      Keep in mind though that's always at the END point.  Up until the last router, nobody else really knows whether an IP is a broadcast or not.  Just that last router whether the subnet + mask really exists can we tell!

                       

                      HTH,

                       

                      Scott

                      • 8. Re: Pinging a broadcast address
                        Steven Williams

                        HA HA, I need a vacation. Not sure when I thought a local ICMP would go to a default gateway. So if  my IP address is 192.168.1.100 and I open a couple hundred command prompt windows and start pinging 192.168.1.255 over and over again, what is going to happen?

                        • 9. Re: Pinging a broadcast address
                          Scott Morris - CCDE/4xCCIE/2xJNCIE

                          You'll get lots of replies from everyone on your subnet.  At least everyone who didn't have an ACL or FW blockin ICMP. 

                           

                          And the rest of us will wonder WHY you felt like doing that!?!??

                          • 10. Re: Pinging a broadcast address
                            Keith Barker - CCIE RS/Security, CISSP

                            Hello Hollywood-

                             

                            You have gotten some great responses.

                             

                            Here is what it would look like from the CLI and wireshark, if the admin at the router send a local broadcast PING:

                             

                            Local broadcast Ping.png

                             

                             

                            R2#ping 10.234.0.255

                             

                            Type escape sequence to abort.

                            Sending 5, 100-byte ICMP Echos to 10.234.0.255, timeout is 2 seconds:

                             

                            Reply to request 0 from 10.234.0.4, 4 ms

                            Reply to request 0 from 10.234.0.3, 8 ms

                            Reply to request 1 from 10.234.0.3, 8 ms

                            Reply to request 1 from 10.234.0.4, 8 ms

                            Reply to request 2 from 10.234.0.3, 8 ms

                            Reply to request 2 from 10.234.0.4, 8 ms

                            Reply to request 3 from 10.234.0.3, 4 ms

                            Reply to request 3 from 10.234.0.4, 4 ms

                            Reply to request 4 from 10.234.0.3, 4 ms

                            Reply to request 4 from 10.234.0.4, 8 ms

                            R2#

                             

                             

                            Local broadcast Ping Wireshark.png

                             

                            The switch, as usual, would forward the L2 broadcast to all other ports in the same VLAN, and the devices on those ports would de-encapsulate the ICMP echo request, and respond with a unicast echo-reply back to the source address used in the request (in this example, R2 is using 10.234.0.2).

                             

                            Best wishes,

                             

                            Keith

                            • 11. Re: Pinging a broadcast address
                              Steven Williams

                              Scott Morris - CCDE/4xCCIE/2xJNCIE wrote:

                               

                              You'll get lots of replies from everyone on your subnet.  At least everyone who didn't have an ACL or FW blockin ICMP. 

                               

                              And the rest of us will wonder WHY you felt like doing that!?!??

                               

                              Well I know not to do it, but that doesn't mean I can tell my users not to. I am just thinking that this could cause the pipes to clog, am I right in saying that?

                              • 12. Re: Pinging a broadcast address
                                Jared

                                If you have enough people doing it.... then it could be a potential DDoS attack.  That is why you don't want users to have access to ping utilities and why admins may lock down the CLI of both windows and mac machines.

                                • 13. Re: Pinging a broadcast address
                                  Scott Morris - CCDE/4xCCIE/2xJNCIE

                                  It would only clog local workstations and switch throughput.  Your "pipes" (connections elsewhere) would be fine unless you were routing.

                                   

                                  Typically things like that (especially pinging to the subnet broadcast with a source IP of the broadcast as well) are meant to target the devices on the local segment.

                                   

                                  Scott