What Is A Smurf Attack?

Written by gigmocha in Uncategorized

What Is A Smurf Attack?

What Is A Smurf Attack?

The ‘Smurf’ portion of the name comes from “smurf”, another term used for small attacks. When large numbers of pings are sent using spoofed return addresses, they can overwhelm networks in particular due to their limited ability to handle broadcast traffic. This can be very disruptive when it happens in a legitimate business environment.

A smurf attack is a form of DoS (Denial of Service) that overloads bandwidth inside a network by many different systems flooding one system, making it almost impossible for others within the same network to communicate appropriately. It sends large amounts of ICMP packets with the source address spoofed to appear as the IP address of the intended victim. 

This attack can often be more effective than a similar SYN flood because many modern routers and firewalls block incoming packets with a TCP (SYN) flag set. A smurf attack does not need to use this flag and works regardless of the router configuration.

What Smurf Attacks Do

With a smurf attack, the attacker spoofs the source address so that all of the replies come from the intended victim instead of from the original sender, as they usually would. The downstream network then sees all of these responses as coming from one system on their network and starts sending requests faster than it can process them. The built-up traffic eventually fills up all available upstream bandwidth and will cause problems for other users on that network until the attack stops.

What Do Smurf Attacks Look Like?

The easiest way to understand what a smurf attack looks like is to simulate one. Using your favourite operating system and an Internet connection, you can easily create smurf packets using this command:

iptables –A OUTPUT –p icmp –icmp-type echo-request –j DROP

You will need root access in order to run the above command, which should be saved as a script and executed your machine reboots anytime. This sends back ‘ICMP port unreachable’ messages whenever an ICMP type 8 packet (Echo Request). You can verify that you are sending these messages by attempting to ping your external IP address from an Internet host.

Once you have this setup, the only thing left is to wait for an unwitting victim to ping you. They need not ping you directly, as many programs will attempt this by default when they have network problems. It does not matter how large or small their packets are or how often they send them; your script will happily respond to all ICMP echo requests regardless of these factors.

Impact Of Smurf Attacks On Users System

Your computer may become very slow after several minutes of running the above command, and there’s a good chance that other machines on your network will also begin responding to pings (in addition to yours). You can verify that this is happening by attempting to ping a remote host from your machine. 

For example, if you have a web server on the same network as your personal computer, you could try:

$ ping –c 2 www.google.com

Assuming that this successfully pings Google’s web server and that it does not receive any errors back from Internet hosts outside of your network, you can be sure that packets are being sent from your system as a result of the smurf script you executed earlier.

What It Looks Like On The Command Line

You may notice several ICMP ECHO REPLY packets coming from your computer along with one or more TCP RESET packets after running the above command for a while (much like those shown below). These packets respond to the smurf attack and indicate that your computer is successfully performing its task.

1 22:59:35 IPTables_IcmpEchoReply [11] from 192.168.0.99 icmp_seq=5

22:59:35 TCPv4Reset 192.168.0.99:1044 192.168.0.3:80 56  tcpflags=reset   sport=1045   dport=80  use=1

Interpreting this data, we can see that it was sent by iptables (version 1) running on a Linux operating system (the distro is most likely Debian) at 11:59 pm on December

15th, 2016. It was received by 192.168.0.3 and sent to port 80 (which is most likely the destination for the ping request we sent). The sender’s system uses the IP address 192.168.0.99 and TCP sequence number 5 (TCP seq 5), indicating that packets from this source will arrive immediately after it in numerical order (at least up to seq 6). 

On a standard connection, you would see several of these packets spread out over time; however, when performing a smurf attack, there should only be one or two of them arriving in quick succession.

Impact On Your Network

The victim of a smurf attack will probably not notice anything amiss on their end, as long as their system is not configured to send ICMP type 8 packets (Echo Request) on its own. Most systems are not configured this way by default and will ignore all of the echo requests coming from your computer. However, other Internet users may notice a sudden increase in network traffic destined for a broadcast address on a remote network.

The purpose of a smurf attack is to flood an Internet host with thousands upon thousands of unsolicited packets that it would otherwise have no reason or ability to respond to. This can cause general slowness on some networks and even specific servers temporarily offline if they do not have sufficient bandwidth to handle such massive amounts of data.

Conclusion

A smurf attack is a type of Denial-of-Service (DOS) attack in which an attacker sends ICMP echo requests (pings) to the broadcast address of IP networks, thereby overloading and saturating them. This can be accomplished by spoofing the source address of these broadcasts so that all echo replies go back to the victim of the attack rather than the intended receiver. This is possible through a mechanism known as IP fragmentation, in which packets with a size larger than or equal to 576 bytes are automatically divided into two separate parts for more efficient routing over an Internet Protocol network (like the internet).

The result is that all of your internal traffic will be sent to the victim, thereby taking up all connections and bandwidth on their end until they can no longer function usually.

Smurf attacks are considered DoS attacks because they prevent small networks from using any services provided by large ones. Although most systems responsible for receiving pings would likely ignore them anyway due to their spoofed nature, nobody wants to have their network taken down by random pings.

It’s also worth mentioning that smurf attacks can be prevented on a network-wide level by configuring routers and switches not to forward broadcast packets. This, however, is only effective if the router/switch in question sits between both of the systems involved in an attack. Otherwise, there would still be no way of stopping IP spoofing on local networks (also known as “packet sniffing”) without using some kind of authentication system such as Internet Protocol Security (IPSec).

Recent Posts