Ivy Consultants Inc.

Consulting Services for Security, Networking, Wi-Fi and Windows Server

You Are Here

Networking

Difference between Local and Directed Broadcast

no Comments

There are two types of Broadcast IP addresses:

  1. Local Broadcast IP address
  2. Directed Broadcast IP address.

They mostly serve the same function. But one of them contains an extra piece of functionality. In this article I’ll clearly explain both types and their purpose.

I will use the following topology to explain these concepts:

Let’s first define the term “Broadcast”.

A Broadcast is any (L2) frame or (L3) packet that is meant to be delivered to everyone on the local network

A broadcast is the opposite of a Unicast message. Unicast delivers a message to a single specific node using a one-to-one association between a sender and destination: each destination address uniquely identifies a single receiver endpoint. Unicast – one-to-one communication, whereas Broadcast – one-to-all communication.

Layer 2 Broadcasts

As we already know that a Layer 2 Broadcast is any frame with a Destination MAC address of FFFF.FFFF.FFFF.

This MAC address is explicitly reserved for Broadcast Frames. It can also be represented as ff:ff:ff:ff:ff:ff or ff-ff-ff-ff-ff-ff.

Any node can simply create a L2 header with this destination MAC address in order to send a frame to all devices on the local network. When Switches see this destination MAC address they automatically flood the frame out all interfaces (except the one it was received on).

Keep in mind, it is the sender of the frame that sets the Destination MAC address. Therefore, it is the sender of the frame that determines whether a particular frame will be delivered to everyone on the local network or to a single node on the network.

Layer 3 Broadcasts

Similar to a L2 broadcast, a Layer 3 broadcast is simply a special IP address set as the Destination IP address for a particular packet.

Unlike L2 broadcasts, there are two different options for what you use as the Destination IP address for a Layer 3 Broadcast. Those two options are the Local Broadcast and the Directed Broadcast (which is also sometimes called the Targeted Broadcast).

Local Broadcast

The Local Broadcast IP address is 255.255.255.255.

Whatever IP network a particular host is on, that host can always use this IP address to send a packet to every node on the Local Network. In our topology, Host 1 could send a message to the IP address 255.255.255.255 to speak to everyone else on it’s own local network. Notice this also includes the Router. Since the R1 has an IP address in the 10.1.1.0/24 network, it is a member of Host 1’s local network.

Host1# ping 255.255.255.255

PING 255.255.255.255 (255.255.255.255): 56 data bytes

64 bytes from 10.1.1.11: seq=0 ttl=64 time=0.044 ms

64 bytes from 10.1.1.33: seq=0 ttl=64 time=0.944 ms (DUP!)

64 bytes from 10.1.1.22: seq=0 ttl=64 time=1.108 ms (DUP!)

64 bytes from 10.1.1.1: seq=0 ttl=255 time=1.324 ms (DUP!)

^C

— 255.255.255.255 ping statistics —

1 packets transmitted, 1 packets received, 3 duplicates, 0% packet loss

round-trip min/avg/max = 0.044/0.855/1.324 ms

Host1#

Host 1 sent a ping to 255.255.255.255 and received responses from itself (10.1.1.11), Host 3 (10.1.1.33), and Host 2 (10.1.1.22), and the Router (10.1.1.1). This is what the packets looked like on the wire:

Notice the Destination IP address is 255.255.255.255. Notice also the Destination MAC address is ff:ff:ff:ff:ff:ffWhich makes this packet both a L2 broadcast and a L3 broadcast.

In the packet capture window, we can see the responses from Host 3, Host 2, and the Router. But we don’t see the response form Host 1 — that packet was simply sent internally and never actually reached the wire.

Moreover, notice Wireshark correctly labeled that packet as a broadcast packet — again, anything sent to 255.255.255.255 is a Broadcast.

For the sake of comparison, here is a packet capture of a Unicast ping between Host 1 and Host 3:

Notice the L2 source and destination are the MAC addresses which belong to Host 1 (ee:ee:ee:11:11:11) and Host 3 (ee:ee:ee:33:33:33). And of course the L3 source and destination are the IP addresses which belong to Host 1 (10.1.1.11) and Host 3 (10.1.1.33).

Directed Broadcast

Much like the Local Broadcast described above, the Directed Broadcast IP can be used by any host to speak to every host on it’s own local network. Host 1 has the IP address 10.1.1.11 on the 10.1.1.0/24 network. The Broadcast IP address of this IP subnet is therefore 10.1.1.255. Host 1 can use this IP address to send a message to everyone else on it’s own local network — just like it did with the Local Broadcast above:

Host1# ping 10.1.1.255

PING 10.1.1.255 (10.1.1.255): 56 data bytes

64 bytes from 10.1.1.11: seq=0 ttl=64 time=0.046 ms

64 bytes from 10.1.1.33: seq=0 ttl=64 time=0.615 ms (DUP!)

64 bytes from 10.1.1.22: seq=0 ttl=64 time=0.835 ms (DUP!)

64 bytes from 10.1.1.1: seq=0 ttl=255 time=1.261 ms (DUP!)

^C

— 10.1.1.255 ping statistics —

1 packets transmitted, 1 packets received, 3 duplicates, 0% packet loss

round-trip min/avg/max = 0.046/0.689/1.261 ms

Host1#

Host 1 sent a ping to 10.1.1.255 and received responses from itself (10.1.1.11), Host 3 (10.1.1.33), Host 2 (10.1.1.22), and the Router (10.1.1.1).

This is what the packets looked like on the wire:

Notice the destination IP address is 10.1.1.255, and the Destination MAC address is ff:ff:ff:ff:ff:ff.

Wireshark’s analysis of these packets reveals two interesting details:

First, we all know that 10.1.1.255 is the Broadcast IP for the 10.1.1.0/24 network. But Wireshark failed to mark it as such as it did for the Local Broadcast in the prior example. The reason is that Wireshark doesn’t know that this capture is from a network with a /24 mask. Therefore, Wireshark cannot infer that 10.1.1.255 is a Broadcast IP. If the mask were /22, the Broadcast IP would be 10.1.3.255, and the IP 10.1.1.255 would be a perfectly valid host address.

Second, notice the yellow background on the ICMP header. This is Wireshark indicating the “expert info” issued a warning because no response was found for the ICMP echo request. Wireshark saw an echo request sent to 10.1.1.255, and was therefore looking for a response from 10.1.1.255. Which you and I both know is not an actual host that could have responded.

At this point we’ve proven that a host can use either the Local Boadcast IP or the Directed Broadcast IP to speak to every node on it’s local network.

Which begs the question. If both of these types of broadcast perform the same function, why do we have two different types of L3 broadcasts?

The answer: The Directed Broadcast can do something that the Local Broadcast cannot. The Directed Broadcast can be used to speak to every node on a foreign network.

Directed Broadcast to a Foreign Network

Every IP network has its own Broadcast IP. Therefore, Hosts can use the broadcast IP address of a foreign network to direct a broadcast to every node in that foreign network. Hence, the term directed broadcast (or sometimes targeted broadcast).

In our topology, Host 1 can use the IP address 10.3.3.127 to speak to every host in the 10.3.3.0/25 network

Now let’s test the Directed Broadcast to a foreign network. We’ll have Host 1 ping the IP address 10.3.3.127. Remember there are four nodes on the 10.3.3.0/25 network and we should expect a response from each of them.

Host1# ping 10.3.3.127

PING 10.3.3.127 (10.3.3.127): 56 data bytes

64 bytes from 10.2.3.3: seq=0 ttl=253 time=1.171 ms

64 bytes from 10.3.3.66: seq=0 ttl=61 time=3.683 ms (DUP!)

64 bytes from 10.3.3.55: seq=0 ttl=61 time=7.340 ms (DUP!)

64 bytes from 10.3.3.44: seq=0 ttl=61 time=9.838 ms (DUP!)

^C

— 10.3.3.127 ping statistics —

1 packets transmitted, 1 packets received, 3 duplicates, 0% packet loss

round-trip min/avg/max = 1.171/5.508/9.838 ms

As expected, we received four responses to our ping: Router 3 (10.2.3.3), Host 6 (10.3.3.66), Host 5 (10.3.3.55), and Host 4 (10.3.3.44).

Oddly, R3 responded from the IP address 10.2.3.3 — R3’s IP address on the link between R2 and R3. I would have expected this response to come from the IP address 10.3.3.3. I am unsure if it’s a bug or intended behavior or merely Cisco’s implementation of responding to Directed Broadcasts. Either way, this response is indeed from R3.

The packets on the wire reveal some interesting details. Here is the capture on the link between Hub1 and R1:

The most significant fact to point out is this packet is a unicast packet. Notice the L2 and L3 headers are constructed identical to the unicast ping between Host1 and Host6 (except the destination IP address, of course).

This highlights an important fact: Host 1 does not know it is speaking to a directed broadcast IP address. You and I know, because we can see the topology map; but from Host 1’s perspective, 10.3.3.127 is merely an IP address on a foreign network. Host 1 is simply following all the regular rules for speaking to an IP on a foreign network.

In fact, the packet travels from Host1 to R1, and from R1 to R2, and from R2 to R3 as a regular unicast packet. The only Router that knows that the IP address 10.3.3.127 is the broadcast IP for the destination subnet is R3. And the capture on the other side of R3 reveals what R3 does with the unicast packet it received:

Notice the destination MAC address is ff:ff:ff:ff:ff:ff, and the Destination IP address is 255.255.255.255. This is now a L2 and L3 Broadcast.

R3, knowing that this packet was sent to a Directed Broadcast IP address, translated the unicast packet it received into a broadcast packet. This is how the single Unicast packet sent by Host 1 was delivered to everyone on the 10.3.3.0/25 network.

Security

While the functionality of sending a packet to every host on a foreign network seems pretty neat. In practice, this is generally regarded as a security risk.

Directed broadcasts were invented at the dawn of computer networking, when the Internet was a much friendlier place. Back then it was simple enough to simply trust the other users on the Internet not to abuse the Directed broadcast.

However, as the Internet grew, that inherit trust of the other users went away. Currently nearly every modern operating system and router software ignore directed broadcasts.

In order to build the lab we used in this article, I had to explicitly enable responding to and processing Directed Broadcasts on the Router and the Linux hosts.

On a Cisco Router, that involved this command:

R3#  show run int eth0/0

!

interface Ethernet0/0

 mac-address eeee.1033.3333

 ip address 10.3.3.3 255.255.255.128

 ip directed-broadcast

On a Linux host, that involved changing the value of this file from 1 to 0:

Host1# cat /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

0

I say all this because inevitably after reading this article some of you will try to ping a foreign network’s broadcast IP, and it will likely fail. Which makes sense if you put yourself in the Network Administrator’s shoes. You wouldn’t want some random user on the Internet to be able to send a ping to every host on your network.

Summary

In this article we discussed the ideas of a Layer 2 Broadcast and a Layer 3 broadcast. We further unpacked the L3 broadcast as we dove into the concepts of the Local Broadcast and the Directed Broadcast (also called the Targeted Broadcast). To summarize those definitions:

  • Local Broadcast IP – 255.255.255.255
    • Can be used to speak to everyone on the Local network
  • Directed Broadcast – <Broadcast IP of each Subnet>
    • Can be used to speak to everyone on the Local network
    • Can be used to speak to everyone on a Foreign network