Broadcast radiation
Encyclopedia
Broadcast radiation is the accumulation of broadcast and multicast
traffic on a computer network
. Extreme amounts of broadcast traffic constitute a broadcast storm. A broadcast storm can consume sufficient network resources so as to render the network unable to transport normal traffic.
in the Ethernet wiring topology (i.e. two or more paths exist between end stations). As broadcasts and multicast
s are forwarded by switches out every port
, the switch or switches will repeatedly rebroadcast broadcast messages and flood the network.
In some cases, a broadcast storm can be instigated for the purpose of a denial of service (DOS) using one of the packet amplification attacks, such as the smurf attack
or fraggle attack
, where smurf sends a large amount of ICMP
Echo Requests (ping
) traffic to a broadcast address, with each ICMP Echo packet containing the spoof source address of the victim host.
When the spoofed packet arrives at the destination network, all hosts on the network reply to the spoofed address. The initial Echo Request is multiplied by the number of hosts on the network. This generates a storm of replies to the victim host tying up network bandwidth
, using up CPU resources or possibly crashing the victim.
In wireless network
s a disassociation packet spoofed with the source to that of the wireless access point
and sent to the broadcast address can generate a disassociation broadcast DOS attack.
These RREQ packets may cause broadcast storms and compete over the channel with data packets.
One approach to alleviate the broadcast storm problem is to inhibit some hosts from rebroadcasting to reduce the redundancy, and thus contention and collision.
Multicast
In computer networking, multicast is the delivery of a message or information to a group of destination computers simultaneously in a single transmission from the source creating copies automatically in other network elements, such as routers, only when the topology of the network requires...
traffic on a computer network
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
. Extreme amounts of broadcast traffic constitute a broadcast storm. A broadcast storm can consume sufficient network resources so as to render the network unable to transport normal traffic.
Causes
Most commonly the cause is a switching loopSwitching loop
A Switching loop or Bridge loop occurs in computer networks when there is more than one Layer 2 path between two endpoints...
in the Ethernet wiring topology (i.e. two or more paths exist between end stations). As broadcasts and multicast
Multicast
In computer networking, multicast is the delivery of a message or information to a group of destination computers simultaneously in a single transmission from the source creating copies automatically in other network elements, such as routers, only when the topology of the network requires...
s are forwarded by switches out every port
Computer port (hardware)
In computer hardware, a port serves as an interface between the computer and other computers or peripheral devices. Physically, a port is a specialized outlet on a piece of equipment to which a plug or cable connects...
, the switch or switches will repeatedly rebroadcast broadcast messages and flood the network.
In some cases, a broadcast storm can be instigated for the purpose of a denial of service (DOS) using one of the packet amplification attacks, such as the smurf attack
Smurf attack
The Smurf attack is a way of generating significant computer network traffic on a victim network. This is a type of denial-of-service attack that floods a target system via spoofed broadcast ping messages....
or fraggle attack
Fraggle attack
In computer security a fraggle attack is a type of denial-of-service attack where an attacker sends a large amount of UDP echo traffic to IP broadcast addresses, all of it having a fake source address...
, where smurf sends a large amount of ICMP
Internet Control Message Protocol
The Internet Control Message Protocol is one of the core protocols of the Internet Protocol Suite. It is chiefly used by the operating systems of networked computers to send error messages indicating, for example, that a requested service is not available or that a host or router could not be...
Echo Requests (ping
Ping
Ping is a computer network administration utility used to test the reachability of a host on an Internet Protocol network and to measure the round-trip time for messages sent from the originating host to a destination computer...
) traffic to a broadcast address, with each ICMP Echo packet containing the spoof source address of the victim host.
When the spoofed packet arrives at the destination network, all hosts on the network reply to the spoofed address. The initial Echo Request is multiplied by the number of hosts on the network. This generates a storm of replies to the victim host tying up network bandwidth
Bandwidth (computing)
In computer networking and computer science, bandwidth, network bandwidth, data bandwidth, or digital bandwidth is a measure of available or consumed data communication resources expressed in bits/second or multiples of it .Note that in textbooks on wireless communications, modem data transmission,...
, using up CPU resources or possibly crashing the victim.
In wireless network
Wireless network
Wireless network refers to any type of computer network that is not connected by cables of any kind. It is a method by which homes, telecommunications networks and enterprise installations avoid the costly process of introducing cables into a building, or as a connection between various equipment...
s a disassociation packet spoofed with the source to that of the wireless access point
Wireless access point
In computer networking, a wireless access point is a device that allows wireless devices to connect to a wired network using Wi-Fi, Bluetooth or related standards...
and sent to the broadcast address can generate a disassociation broadcast DOS attack.
Prevention
- Switching loopSwitching loopA Switching loop or Bridge loop occurs in computer networks when there is more than one Layer 2 path between two endpoints...
s are largely addressed with spanning tree protocolSpanning tree protocolThe Spanning Tree Protocol is a network protocol that ensures a loop-free topology for any bridged Ethernet local area network. The basic function of STP is to prevent bridge loops and ensuing broadcast radiation...
. In Metro EthernetMetro EthernetA Metro Ethernet is a computer network that covers a metropolitan area and that is based on the Ethernet standard. It is commonly used as a metropolitan access network to connect subscribers and businesses to a larger service network or the Internet...
rings it is prevented using the Ethernet Automatic Protection SystemEthernet Automatic Protection SystemEthernet Automatic Protection Switching is used to create a fault tolerant topology by configuring a primary and secondary path for each VLAN....
(EAPS) protocol.
- Filtering broadcasts by Layer 3Network layerThe network layer is layer 3 of the seven-layer OSI model of computer networking.The network layer is responsible for packet forwarding including routing through intermediate routers, whereas the data link layer is responsible for media access control, flow control and error checking.The network...
equipment, typically routers (and even switches that employ advanced filtering called brouterBrouterA Bridge Router or router is a network device that works as a bridge and as a router. The brouter routes packets for known protocols and simply forwards all other packets as a bridge would....
s).
- Physically segmenting the broadcast domainBroadcast domainA broadcast domain is a logical division of a computer network, in which all nodes can reach each other by broadcast at the data link layer. A broadcast domain can be within the same LAN segment or it can be bridged to other LAN segments....
s using routers at Layer 3 (or logically with VLANs at Layer 2) in the same fashion switches decrease the size of collision domainCollision domainA collision domain is a section of a network where data packets can collide with one another when being sent on a shared medium or through repeaters, in particular, when using early versions of Ethernet. A network collision occurs when more than one device attempts to send a packet on a network...
s at Layer 2Data link layerThe data link layer is layer 2 of the seven-layer OSI model of computer networking. It corresponds to, or is part of the link layer of the TCP/IP reference model....
.
- Routers and firewalls can be configured to detect and prevent maliciously inducted broadcast storms (e.g. due to a magnification attack).
- Broadcast storm control is a feature of many managed switches in which the switch intentionally ceases to forward all broadcast traffic if the bandwidth consumed by incoming broadcast frames exceeds a designated threshold. Although this does not resolve the root broadcast radiation problem, it limits broadcast radiation intensity and thus allows a network manager to communicate with network equipment to diagnose and resolve the root problem.
Misinterpretations
- A common misinterpretation is that routing loops have anything to do with broadcast storms. Working at Layer 3, routers (unlike Layer 2 equipment) do not forward MACMedia Access ControlThe media access control data communication protocol sub-layer, also known as the medium access control, is a sublayer of the data link layer specified in the seven-layer OSI model , and in the four-layer TCP/IP model...
-level broadcast traffic. - Another misinterpretation is that routers cannot forward broadcasts under special circumstances. Some routable protocols support the use of internetwork-level broadcasts. If the router is configured to forward them, the broadcast domain segmentation is compromised.
- Most commonly it is believed that only routers can impact the broadcast domainBroadcast domainA broadcast domain is a logical division of a computer network, in which all nodes can reach each other by broadcast at the data link layer. A broadcast domain can be within the same LAN segment or it can be bridged to other LAN segments....
or filter broadcasts. As we have seen, switches can blur the layer line (e.g. with VLANs) and can do filtering (they still need a router for forwarding however). - A misinterpretation is that a broadcast can be responded to with a broadcast. This is not true. A broadcast can, however, be issued to gather information needed to respond to an initially received broadcast. In a redundant looped topology this second broadcast can reach the interface that sent the initial broadcast.
MANET broadcast storms
In a mobile ad-hoc network (MANET), route request (RREQ) packets are usually broadcast to discover new routes.These RREQ packets may cause broadcast storms and compete over the channel with data packets.
One approach to alleviate the broadcast storm problem is to inhibit some hosts from rebroadcasting to reduce the redundancy, and thus contention and collision.