Broadcast storm
Broadcast radiation is the accumulation of broadcast and multicast traffic on a computer network. Extreme amounts of broadcast traffic constitute a broadcast storm. A broadcast storm can consume sufficient network resources so as to render the network unable to transport normal traffic.[1] A packet that induces such a storm is occasionally nicknamed a Chernobyl packet.[2]
Causes
Most commonly the cause is a switching loop in the Ethernet wiring topology (i.e. two or more paths exist between end stations). As broadcasts and multicasts are forwarded by switches out of every port, the switch or switches will repeatedly rebroadcast broadcast messages and flood the network. Since the Layer 2 header does not support a time to live (TTL) value, if a frame is sent into a looped topology, it can loop forever.
In some cases, a broadcast storm can be instigated for the purpose of a denial of service (DOS) using one of the packet amplification attacks, such as the smurf attack or fraggle attack, where smurf sends a large amount of ICMP Echo Requests (ping) traffic to a broadcast address, with each ICMP Echo packet containing the spoof source address of the victim host. When the spoofed packet arrives at the destination network, all hosts on the network reply to the spoofed address. The initial Echo Request is multiplied by the number of hosts on the network. This generates a storm of replies to the victim host tying up network bandwidth, using up CPU resources or possibly crashing the victim.[3]
In wireless networks a disassociation packet spoofed with the source to that of the wireless access point and sent to the broadcast address can generate a disassociation broadcast DOS attack.[4]
Prevention
- Switching loops are largely addressed with shortest path bridging or older spanning tree protocols. In Metro Ethernet rings it is prevented using the Ethernet Ring Protection Switching (ERPS) or Ethernet Automatic Protection System (EAPS) protocols.
- Filtering broadcasts by Layer 3 equipment, typically routers (and even switches that employ advanced filtering called brouters).
- Physically segmenting the broadcast domains using routers at Layer 3 (or logically with VLANs at Layer 2) in the same fashion switches decrease the size of collision domains at Layer 2.
- Routers and firewalls can be configured to detect and prevent maliciously inducted broadcast storms (e.g. due to a magnification attack).
- Broadcast storm control is a feature of many managed switches in which the switch intentionally ceases to forward all broadcast traffic if the bandwidth consumed by incoming broadcast frames exceeds a designated threshold. Although this does not resolve the root broadcast radiation problem, it limits broadcast radiation intensity and thus allows a network manager to communicate with network equipment to diagnose and resolve the root problem.
Misinterpretations
- A common misinterpretation is that routing loops have anything to do with broadcast storms. Working at Layer 3, routers (unlike Layer 2 equipment) do not forward MAC-level broadcast traffic.
- Another misinterpretation is that routers cannot forward broadcasts under special circumstances. Some routable protocols support the use of internetwork-level broadcasts. If the router is configured to forward them, the broadcast domain segmentation is compromised.
- Most commonly it is believed that only routers can impact the broadcast domain or filter broadcasts. Switches can blur the layer line (e.g. with VLANs) and can do filtering (they still need a router for forwarding however). To complicate matters, some devices sold as switches have routing capabilities and will use them automatically, if they have interfaces on more than one LAN or VLAN.
- A misinterpretation is that a broadcast can be responded to with a broadcast. This is not true. A broadcast can, however, be issued to gather information needed to respond to an initially received broadcast. In a redundant looped topology this second broadcast can reach the interface that sent the initial broadcast.
MANET broadcast storms
In a mobile ad hoc network (MANET), route request (RREQ) packets are usually broadcast to discover new routes. These RREQ packets may cause broadcast storms and compete over the channel with data packets. One approach to alleviate the broadcast storm problem is to inhibit some hosts from rebroadcasting to reduce the redundancy, and thus contention and collision.[5]
References
- ^ "Internetwork Design Guide -- Broadcasts in Switched LAN Internetworks". Cisco. 1999.
- ^ Chernobyl packet, Free On-line Dictionary of Computing, retrieved 2013-08-30
- ^ Chau, Hang (17 September 2004). "Defense Against the DoS/DDoS Attacks on Cisco Routers". Archived from the original on 11 December 2006.
{{cite web}}
: Unknown parameter|deadurl=
ignored (|url-status=
suggested) (help) - ^ "Disassociation Broadcast Attack Using ESSID Jack". Archived from the original on 11 December 2006.
{{cite web}}
: Unknown parameter|deadurl=
ignored (|url-status=
suggested) (help) - ^ Ni, Sze-Yao; Tseng, Yu-Chee; Chen, Yuh-Shyan; Sheu, Jang-Ping (August 1999). "The Broadcast Storm Problem in a Mobile Ad Hoc Network" (PDF). MobiCom '99 Proceedings of the 5th annual ACM/IEEE international conference on Mobile computing and networking. Seattle, Washington, USA: 151–162.
{{cite journal}}
: Cite has empty unknown parameter:|1=
(help)