Secure Routers for Subnet-Directed Broadcasts for Wake On LAN

Aplica-se a: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

If you are using subnet-directed broadcast as the transmission method of sending wake-up packets, all intervening routers between the primary site server and client computers must allow IP-directed broadcasts. To help mitigate the security risks associated with this configuration, take these additional configuration steps:

  1. Configure Wake On LAN in Configuration Manager 2007 to use a nondefault port number.

  2. Configure routers to only allow IP-directed broadcasts from the site server, using the nondefault port number you configured in Configuration Manager 2007.

The security risks associated with subnet-directed broadcasts are that an attacker could send continuous streams of Internet Control Message Protocol (ICMP) echo requests from a falsified source address to the directed broadcast address, causing all the hosts to reply to that source address. This type of denial of service attack is commonly called a smurf attack and is typically mitigated by not allowing subnet-directed broadcasts.

Consulte Também

For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email