I think I would agree that the "no ip-directed broadcast" command is the way to go here. It has the additional advantage of preventing the Fraggle attack also as the command would drop packets based on the IP address not the protocol so both ICMP and UDP (and TCP etc for that matter) would be dropped on the interface if trying to target a broadcast address behind the router.
Rate limiting I don't think would have any effect as the damage of the attack is caused by the response traffic to the spoofed host not the amount of inbound ICMP traffic from the attacker. With a large enough network, one would not need many inbound ICMP packets to the broadcast address to create a large number of ICMP reply packets back to the spoofed host. uRPF would not solve the problem because even if the Smurf or Fraggle attack came from a spoofed source address (which it likely would) that doesn't mean that the Echo Request packets would still not enter the router on the correct interface and pass any uRPF checks, especially if it was an internet connected router in which the Echo packets came in the interface via which the default route is reached. I am not sure about the Selective Directed Broadcast option Eugene mentions. I hadn't heard of the option before but after a very brief read of the RFC it seems that it is used more for providing a UDP packet with multiple destination addresses (one of which I suppose could be a broadcast address) but it would seem that one does not need to use this IP Option to specifically target a broadcast address as this can be done with a standard packet without using the SDB IP Option. Thanks Ben
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
