How To Find The Source of A Smurf Attack?

How To Find The Source of A Smurf Attack?


Let’s assume that you want to find out who is attacking your network. First of all, you have to know how a smurf attack works.

A smurf attack is a kind of assault that sends a large number of ICMP echo requests (pings) to the network’s broadcast address, with the aim of clogging the subnet and disrupting traffic flow. Ping flood or bandwidth usage attacks are examples of this sort. This article will teach you how to use Linux Traceroute, Mtr, and Arping commands to check whether someone is sending continuous pings or smurfs against your network using IP spoofing methods.How to find the source of a smurf attack?

Smurf VS Fraggle Attack

Before we start, let’s understand the difference between smurf and fraggle attacks. These two types of network-based attacks are similar in that both use spoofed broadcast ping traffic to flood a target network. The difference is in the intent:

Smurf Attack

This attack floods a target with ICMP echo (ping) requests and overwhelms it by virtue of the sheer volume of incoming packets. The attacker sends many Echo Requests using the spoofed IP address of the intended victim to the directed broadcast address [Ex:] of a subnet with hosts called “reflectors”. These reflectors then send copies or bounce back these packets to other hosts on this same subnet. Doing this makes every host on the subnet (including hosts not involved in the attack) send ICMP Echo Replies to the spoofed victim’s address, effectively creating a storm of traffic and slowing down considerably or even crashing remote systems.

Fraggle Attack

This is similar to Smurf except that it uses broadcast UDP packets instead of ping requests. Its objective is not to overwhelm a system by flooding it with useless network traffic but rather to exploit applications vulnerable to malformed or overly-broad casts. It is therefore more targeted than a “smurf attack”. In fact, from a security standpoint, this type of attack may prove more dangerous due to possible vulnerabilities within target operating systems and applications. For example, Ping does not require a reply, while UDP requests do.

Steps to Trace Smurf Attack

Trace Smurf attack in Linux

#1 Using Traceroute Command to Find Out Source of Smurf Attack in Linux

The traceroute command is used to trace the route taken by packets across an IP network. The tracepath command is similar to the traceroute program but it works more accurately and it skips host checks. While doing this test, you have to make sure that your internet connection is working properly or else you won’t get accurate results for checking the source of a smurf attack against your network. Now open the terminal application (in Debian/Ubuntu based systems) or use “Run Application” feature in Redhat systems and type following commands:

$ sudo tracepath

How do you think the above command will help in finding out whether someone is sending continuous pings or smurfs against your network? The tracepath command shows us a number of ‘hops’ that packets have had to travel through to reach and this depends upon the path between sender and destination routers which results from various routing tables across internet backbone depending on quality of route, physical distance, load on router etc…

#2 Using MTR Command To Traceroute In Linux

Mtr stands for “Matt’s Traceroute” and it is generally used as replacement of traceroute command which gives you much more information about end-to-end path between two hosts by displaying the results of ICMP packets sent to each router & host on the path. Mtr command was originally written for FreeBSD, but it works fine on Linux distributions also.

$ sudo mtr

#3 Using Arping Command To Trace Route In Linux

Arping is an arp packet generator which can be used to find out whether someone is attempting a smurf attack against your network or not. This tool generates custom ARP packets and sends them either to an IP address or hostname which you specify as an argument in this command line utility. “Arping” uses raw sockets which are usually used by applications like Nmap for sending custom ARP requests without being restricted by the system’s TCP stack limitations for generating custom ARP packets.

Trace Smurf attack in Windows

#1 Using Tracert Command To Trace Route In Windows

Tracert (or traceroute) command traces the route taken by packets to a network host and displays the time taken in milliseconds for each hop along the route. It helps us to identify which router or firewall is causing delay and also the actual location of source of smurf attack. Open Command Prompt (CMD) window and type following command:

$ tracert

#2 Using PathPing Command To Trace Route In Windows

PathPing combines functionality of Ping and Traceroute utilities into one Network Diagnostic Tool. Pathping sends multiple Echo Request messages to each router between your computer and destination. Each successive message reports information about the router or link that is traversed to get to the destination. This utility provides information about the best server in terms of latency and packet loss.

Pathping command displays results in three sections:

• The first section shows the route(s) taken by the Echo Request messages sent from source to destination host or default gateway, with additional details on packet loss (if any) at each hop.

• The second section shows the route(s) taken by returning Echo Reply messages. This section only appears if there are multiple routes back to your computer and it will show paths based on the percentage of packets lost for each router/link combination. Like tracert, this tool also gives you an option to identify which network device or firewall is causing delay or packet loss so you can take necessary steps for faster internet speed.

Pathping provides “smurf” and “broadcast” traces. The broadcast trace determines whether someone is sending smurfs against your network and it also tells how many hops the pings have traveled to reach their final destination.


Smurf attack is a denial of service attack that uses ICMP packets with a spoofed source IP address. The purpose of this kind of an attack is to overwhelm the victim machine with ICMP responses sent by all available machines on the internet which lead to degradation in network performance and it can also crash your machine if too many packets are being dropped. These kinds of DOS attacks have been one of the biggest threats on the internet since 1998 and you can use above mentioned tools for checking who is sending continuous pings or smurfs against your network as well as maximize the efficiency of your bandwidth through increased throughput, reduced latency and minimizing packet loss .

Following Article we learnt to trace the source of such attacks in Linux and windows so that we can prevent our network environment from being impacted by such attacks.

Recent Posts