A discussion about Wake-on-LAN

Did you know that System Center Configuration Manager 2007 will include support for Wake-on-LAN?  See http://www.microsoft.com/technet/prodtechnol/sms/smsv4/smsv4_help/43092b3c-06fb-4162-b589-28f14057873c.mspx for the full details, as well as Jeff Gilbert's blog posting at http://myitforum.com/cs2/blogs/jgilbert/archive/2006/08/08/22911.aspx.

So what is Wake-on-LAN?  It's a way to send a "magic packet" to a machine that isn't powered on.  That package is received by the still-powered-up network card, and that causes the machine to be powered on.  The Wikipedia entry at http://en.wikipedia.org/wiki/Wake-on-LAN provides a good overview, and the links at the bottom provide the historical perspective.

But there is no discussion about the different ways of implementing Wake-on-LAN, or the potential security implications of each of those ways.  So let's go through those:

  • Limited broadcast.  In this case, you send a magic packet to a special TCP/IP address (; it is received by all computers on the same segment but not forwarded to computers on other segments.

  • Directed broadcast.  In this case, you have to know what subnet the computer is on (or at least where it was last known to be) and send a broadcast packet to that segment; the router or switch takes care of forwarding the packet to all the machines on the subnet.  Because of the security implications of this (see http://en.wikipedia.org/wiki/Smurf_attack for a description of the SMURF denial-of-service attack), most companies have disabled directed broadcasts.

  • Unicast.  In this case, you have to know the computer's last IP address and send the magic packet directly to that address.  As long as that IP address is still valid, and the router or switch still has cached what port that computer is attached to, the magic packet gets to the computer and it wakes up.

You can then build solutions on top of those three basic implementation types.  The most common method is to build a "relay agent".  In this situation, the agent receives a unicast request from a server (typically a TCP conversation, point-to-point), and performs a limited broadcast on its segment, e.g. Server A instructs Workstation B to wake Workstation C that is on the same segment, so B sends the magic packet.

So the agent approach can eliminate the directed broadcast security issue, but there is the added overhead of deploying those agents (not to mention that they need to be secure too, otherwise they can be "hijacked" to perform a denial-of-service attack).

Another option: Securing directed broadcast.  You can take advantage of the ability of Cisco and other routers to configure "access control lists", limiting what different hosts can do.  The router can be configured to accept directed broadcasts only from certain hosts and only certain protocols and ports.  For example, you could permit only a single server to send only UDP directed broadcasts, and only on a user-defined port.  (See the "ip directed-broadcast [access-list-number]" command in the Cisco IOS documentation.)  That would significantly reduce the potential of denial-of-service attacks as it would require that your server (the one granted access through the ACLs) be compromised, and that the attacker know which port has been opened.

Another interesting option is to not use Wake-on-LAN at all.  Intel has a new hardware feature called "iAMT" (see http://www.intel.com/technology/manage/iamt/) that uses a management processor on the motherboard (similar to what has been used in servers for several years) that you can communicate with out-of-band, even when the computer is off.  It uses HTTP (web) requests to directly talk to the computer, so no broadcasts are required.

So back to where we started: ConfigMgr 2007's support of Wake-on-LAN.  It supports both the "directed broadcast" method and the "unicast" method described above.  For many of you, that will be all you need, but there are other third-party options available too that should integrate well into ConfigMgr 2007.

Comments (2)
  1. showbox says:

    Thanks for the great info. I really loved this. I would like to apprentice at the same time as you amend your web site, how could i subscribe for a blog site?
    For more info on showbox please refer below sites:
    Latest version of Showbox App download for all android smart phones and tablets.
    http://movieboxappdownloads.com/ – It’s just 2 MB file you can easily get it on your android device without much trouble. Showbox app was well designed application for android to watch movies and TV shows, Cartoons and many more such things on your smartphone.
    For showbox on iOS (iPhone/iPad), please read below articles:
    Showbox for PC articles:
    There are countless for PC clients as it is essentially easy to understand, simple to introduce, gives continuous administration, effectively reasonable. it is accessible at completely free of expense i.e., there will be no establishment charges and after establishment
    it doesn’t charge cash for watching films and recordings. Not simply watching, it likewise offers alternative to download recordings and motion pictures. The accompanying are the strides that are to be taken after to introduce Showbox application on Android.
    The above all else thing to be done is, go to the Security Settings on your Android telephone, Scroll down and tap on ‘Obscure sources’.

Comments are closed.

Skip to main content