On What OSI Layer Does A Smurf Attack Happen?

Introduction:

Routers from Cisco and Juniper have been hit by a new denial-of-service assault that uses flooding them with Internet Control Message Protocol (ICMP) echo request packets. 

A Smurf attack is an IP spoofing technique in which bogus ICMP echo requests are broadcast to public addresses on the Internet from phony source IP addresses. The fraudulent queries cause all of the computers on the network to respond to them typically by echoing or responding with their own IC response packets causing network traffic to rise, and setting up the foundation for a distributed denial of service attack.

Impact on Data Link layer:

Smurf Attacks on Cisco IOS devices are typically performed at the Data Link layer. 

A new variant of the Smurf attack, which involves sending Internet Control Message Protocol (ICMP) echo requests with spoofed source IP addresses to broadcast addresses, is being used against some Cisco routers, according to an advisory released yesterday by Cisco Systems’ security response team.

The request packets are sent from publically routable IP addresses that cause all hosts on the enterprise network to respond with their own echo reply messages.

The results are that the attacker only has to send out a few packets with spoofed source addresses to create DDOS against the target network, because all hosts on the enterprise network will be irresponsibly sending replies.

Derivation on Smurf:

The term “Smurf attack” derives from the fact that it is most often performed by sending big numbers of ICMP echo requests the packets employed by the ping command to a network’s broadcast address, which contains addresses in the private network range (i.e., all-zeros or all-ones as their first octets).The Internet Control Message Protocol (ICMP) echo request message is normally sent to the unicast address of another host on the Internet; it’s meant as a debugging aid for administrators and as a test application for users. However, when ICMP echo requests are directed to the broadcast address they’re received by all the hosts on the local network.

The name “Smurf” comes from the fact that such an attack is most commonly launched by sending large numbers of ICMP echo requests—the packets used for the ping command to the broadcast address of vulnerable networks with addresses in the private network range (i.e., those with all-zeros or all-ones as their first octets). The Internet Control Message Protocol (ICMP) echo request message is normally sent to the unicast address of another host on the Internet; it’s meant as a debugging aid for administrators and as a test application for users. However,

On What OSI Layer Does A Smurf Attack Happen?

Smurf attack works on Layer 3. Hosts on the Internet send echo requests to hosts on a private network by sending the requests to the network’s broadcast address. When routers receive these requests, they respond just as any other host would by sending an echo reply message, which triggers many more response messages throughout the network. This can lead to over 100 times more data than was sent in the original request. An Smurf attack is launched by flooding ping broadcasts with ICMP packets spoofed from their target. The result is analogous to DDOS amplification where large traffic flows are created by spoofing a small number of packets. On that point, the attacks can be considered as broadcast floods to other broadcast floods.

Such an attack is most commonly launched by sending large numbers of ICMP echo requests, the packets used for the ping command, to the broadcast address of vulnerable networks with addresses in the private network range .The Internet Control Message Protocol (ICMP) echo request message is normally sent to the unicast address of another host on the Internet; it’s meant as a debugging aid for administrators and as a test application for users. However, when ICMP echo requests are directed to the broadcast address they’re received by all the hosts on the local network.

The bogus requests cause all the hosts on the subnet to respond to the requests normally by echoing or responding with their own IC response packets causing network traffic to spike, and potentially setting into motion a distributed denial of service attack. Smurf is considered as an amplification attack because it sends a relatively small amount of data out but receives a large reply from each machine that is flooded. In most cases, this involves sending between 1 and 32 echo requests (ping) where every request triggers 100-500 responses on average.

Conclusion:

A Smurf attack is a type of denial-of-service attack in which the attacker sends large numbers of IP packets with the source address of the intended victim to network broadcast domains. The first reply from a host on the destination network triggers a flood of replies from other hosts on that network, replying to the victim computer rather than to the initiating computer as expected. Smurf attacks are thus an example of unintentionally DoSing one’s self due to lack of proper input validation.

Attackers generally use this attack by spoofing the source address of the victim in an IP packet, causing all hosts on the network to reply and send traffic to the target. This overloads the victim with large amounts of useless traffic. They are named after Smurfs, small blue creatures who lived in mushroom-shaped houses in a cartoon that first appeared on television screens in 1958.

Network administrators often find it difficult to repair damage caused by Smurf attacks because they can come from many different sources at once, making them very hard to trace.