If you are using subnet-directed broadcast as the transmission method of sending wake-up packets, all intervening routers between the primary site server and client computers must allow IP-directed broadcasts. To help mitigate the security risks associated with this configuration, take these additional configuration steps:

  1. Configure Wake On LAN in Configuration Manager 2007 to use a nondefault port number.

  2. Configure routers to only allow IP-directed broadcasts from the site server, using the nondefault port number you configured in Configuration Manager 2007.

The security risks associated with subnet-directed broadcasts are that an attacker could send continuous streams of Internet Control Message Protocol (ICMP) echo requests from a falsified source address to the directed broadcast address, causing all the hosts to reply to that source address. This type of denial of service attack is commonly called a smurf attack and is typically mitigated by not allowing subnet-directed broadcasts.

See Also