Owners of a Windows Server 2003 system may have noticed that their server’s smurf.log file is filling up with entries similar to this:
2008-08-20 21:28:57 1 GBP nt05 Smurf DNS 0xF4EEA8C0 UDP 188.8.131.52 32001 DYNAMIC VICTIM
In other words, all the servers on your network just got pinged and asked to send a response back to an address that doesn’t exist! If you own such a server and don’t know what it means, then you could soon find yourself in trouble.
You see, hackers use many techniques to determine if there are any live systems behind NAT (Network Address Translation) on your network. If you own one of those systems, the hacker will try to do something terrible.
And that is where smurf attacks come in. The name has nothing to do with the famous blue characters from a favorite TV show, so don’t worry about being attacked by any flying pineapples.
A smurf attack is a form of DoS (Denial of Service) that overloads bandwidth inside a network by many different systems flooding one system, making it almost impossible for others within the same network to communicate appropriately. To read more about what exactly a smurf attack is read our article “What Is A Smurf Attack?”.
This attack goes under the radar, and all the hackers need is for you not to know about its existence! To avoid such an unpleasant situation, take a few minutes now and read this article carefully. You’ll find out what smurf attacks are, how they work and why they’re so dangerous as well as how you can recognize whether or not your system is vulnerable to them.
Appearance over Event Viewer
If you ever see the following “Event ID” in your Windows Server System Event Log:
Source: Srv Event ID: 7001 Task Category: None Level: Warning Number of Instances: 37185
This Might Show Because
- The DNS server has sent notifications of a general failure.
- A packet was received outside the allowed window.
- The packet would have been forwarded, but it is a broadcast or multicast, and the server is not configured for forwarding those packets. An incorrect network adapter configuration may cause this. Check your network connection settings and the computer configuration in System Properties.
- A packet was dropped because the DNS server terminated a connection. This could indicate an overload or down network segment or further problems, such as flapping the link.
If you see this event in your system log (it will appear around 20 times if you get smurf attacked), then you’re in trouble, and we strongly recommend that you read the rest of this article.
Why Is It Happening?
Well, hackers find systems behind NAT by sending out requests to broadcast addresses and then listening for responses from systems that answer these broadcasts (for more information on how NAT works and why using broadcast response packets can help you locate other servers on your network – click here ).
Once they find a system behind NAT, the first thing hackers will often do is to send tons of requests to it at regular intervals (using specially crafted UDP or ICMP packets).
Well, one of the reasons for this is that these systems usually allow broadcasts through their routers – which means that many other computers on your network can see these requests and start sending them back. By doing so, they’re helping out in finding other servers on your network! You can say that hackers are using “smurf attacks” as a general technique to discover what machines are available on the internet site of your router.
Of course, there’s no way to know who’s attacking you because once an answer gets sent back by one of the many computers on your network (and this happens before reaching your system), it becomes impossible to tell where these requests came from. To read more about why it happens, read our article “What Is The Purpose Of A Smurf Attack“.
Impact Inside The Network
Once they discover another computer behind NAT, hackers will usually try to break through its security and start doing all sorts of bad things like uploading malicious software or stealing passwords – but smurf attacks themselves only consist of pinging systems with packets that are spoofed to have the source address of the victim.
This means that all kinds of traffic are being sent to your computer, both good and bad. Therefore, if hackers discover other servers on your network that are centrally located (for example, by their IP address), you’ll find yourself in trouble because smurfs can quickly turn into a DDoS attack against one computer in your network.
As if all this wasn’t enough – smurf attacks can also cause problems because of the load they generate on your system, especially if it’s an older machine or you’ve restricted the rate at which your internet connection allows packets to be sent out (for example by Sharing bandwidth through QoS).
If this is the case, then such a denial of service attack can make it impossible for anyone on your network to reach any other computer on the internet. Imagine yourself trying to browse some websites and getting “Server not found” errors all over the place.