How Can A Smurf Attack Hurt A Company?
A smurf attack is a DDoS attack in which the attacker spoofs and broadcasts ping messages to all devices on a network. These messages instruct every network-connected device (PC, printer, router, etc.) to simultaneously and continuously send replies to the victim’s IP address or broadcast address. To read more about Smurf Attacks, read our article What Is A Smurf Attack [What Is A Smurf Attack link here]
This means that the attackers sent requests from multiple systems flooding victims with useless information and bandwidth usage, causing degradation of service quality and complete denial for users of legitimate requests to access web pages hosted by the server experiencing smurfing attacks.
The originator can generate much larger packets than usual because it sends them from many machines at once – hence the term “Distributed Denial Of Service” or DDoS rate referring to an amplified rate at which packets are sent. The objective is to overload the bandwidth and resources of a targeted computer system or network and deny legitimate users access to the services (web server, FTP server, etc.)
The tool used by attackers is called a smurf amplifier. It is based on sending broadcast ping messages using ICMP protocol with an IP address spoofing option set to send replies back only to the source of the original message. If you type “ping example.com” (but replace example.com with your actual domain name) in Linux/Unix/Mac OS X, it will show something like:
PING example.com (192.168.0.5): 56 data bytes
64 bytes from 192.168.0.5: icmp_seq=0 ttl=48 time=23.743 ms
64 bytes from 192.168.0.5: icmp_seq=1 ttl=48 time=24.340 ms
64 bytes from 192.168.0.5: icmp_seq=2 ttl=48 time=25.841 ms
Where the third number, 2 in this case, means how many more hops are there until our destination (in this case example.com), where the message is going to be sent after each device/router on the way receives it and sends its response back directly to the source of original ICMP echo request where it was originally sent from.
To fill up the bandwidth and resources of a targeted system, an attacker sets the number to a high figure such as 100.
Impact On A Company
A group of attackers can cripple a company’s servers by using the following attack method, which multiplies the power of traditional DDoS attacks. Using this technique, attackers can create an effect similar to that of a hurricane hitting the coastline.
As the targeted system is flooded with large packets, it receives more than 100 times as much data, as usual, making it extremely slow or unavailable to legitimate users. When this type of attack is performed against a web server, the result can be a complete loss of service for regular users and an effective blockade for new ones.
The smurf attack method has been around for over 10 years now, but its use in combination with amplification payloads became widespread in 2014. You need to remember about DDoS attacks nowadays because they are usually combined with other methods such as SSDP reflection (an example of an article on this topic can be found here), so organizations should implement multiple defensive measures to stay protected from them.
The “smurf amplifier” sends re-transmissions of the original message to broadcast or subnet IP addresses. This form is hazardous because it uses both sides of the communication stream – reflection and amplification.
Since each smurf request is multiplied by hundreds, even thousands, it becomes possible for one single attacker to generate massive floods with very few resources expended. The SSDP reflection uses UPnP protocol and internet routers designed to communicate over local area networks (LANs). Even though routers usually have protection measures in place, the UPnP vulnerability is still exploited.
Suppose you are an administrator of a server on the Internet on which there is sensitive data or intellectual property put at risk by DDoS attacks. In that case, it is advisable to protect yourself with your provider’s help. Serious providers have developed products that automatically protect their customers’ servers from smurf attacks and other types of attacks over the years.
It just requires enabling the convenient feature in your account settings. If you would like to know more about our anti-DDoS solution designed to stop smurf amplification attacks, contact iPguard Tech Support for assistance here
You should monitor the traffic coming into your network and block all UDP packets. It is also essential to establish firewall rules that will protect you from spoofing attacks (source address should be checked and destination). You need to increase protection against SYN flood attacks and perform regular scans for open SMB ports on your servers and take appropriate measures if they are found.
Unfortunately, no simple solutions can protect you from being targeted with DDoS attacks of this magnitude. It is important to note that using DNS (Domain Name Service) can make your servers more vulnerable because it provides attackers with access to different protocols and makes them difficult to track down on the Internet.
The best bet for companies who want to prevent smurf amplification attacks against their web server is looking for anti-DDoS protection capabilities provided by internet service providers (ISP). Unfortunately, it’s not easy to find independent help if you’re on your own, so online forums are an excellent place to start looking for a provider able to protect your server from attacks.