A smurf attack is a form of Denial of Service (DoS) attack which uses ICMP (ping) packets to flood the target. These attacks work by spoofing the source address information in order to trick the recipient’s computer into sending ping replies to an invalid destination, using up all available bandwidth and rendering the system unusable for other purposes. This can be accomplished through a variety of methods, including raw packet injection or more advanced tools such as Hping or Xprobe2.
Purpose Of A Smurf Attack
The purpose of a smurf attack is to occupy all available resources in the network, leaving no bandwidth for other users.
In order to accomplish this goal, a smurf attack must send forged packets so that they appear to be coming from an IP address on the target’s subnet rather than a valid one in order to overload all available resources of the target computer or device. The most common way to accomplish this is by using ICMP echo requests with a spoofed source address.
Why Is It Called A Smurf Attack?
The smurf attack got its name from the network traffic sent by this type of attack. This is because it appears to be like a large number of ICMP echo requests (pings) which are all coming from the spoofed source address of the victim, making it seem like they are being repeatedly pinged or “smurfed” by a large number of systems. The attack uses the subroutine IP address 255.255.255.255 to send echo requests, which is why it’s called “smurf”.
Fraggle Attack
An additional type of smurf attack uses the same tools to send UDP packets with a spoofed (fake) source address and sends them to broadcast addresses!
This can be used for DoS attacks, but also makes it possible to take advantage of many operating systems’ vulnerability when they accept this traffic and reply back on an unexpected port. This type of attack is called a Fraggle attack. Read our article “How Can A Smurf Attack Hurt A Company?” to see more ways a smurf attack can hurt your company.
How The Smurf Attack Works
The smurf attack is a type of DoS attack. It works by sending large numbers of ping requests to the broadcast address or directed at another machine on the same network, flooding it so that it cannot respond to legitimate traffic. The attacker sends forged ICMP echo request packets from the IP address of the intended victim to an Internet Broadcast Address, which is used for network testing.
The attacker spoofs the source address of all echo requests to be his victim’s IP address and sends a large number of packets across the Internet using an excessively high TTL value.
Each machine that forwards it along takes some small amount of processing time to do this, so each phony packet sent can cause tens or even hundreds of real packets to be sent in response. This can have a devastating effect on the victim’s machine, even rendering it unusable for a few minutes or hours if enough reply packets are generated by its computer and neighboring machines.
How To Protect Yourself From Smurf Attack?
You can protect yourself from smurf attack by following these steps:
- Configure your router to not forward directed broadcast traffic. This is configured under the ‘IP Forwarding’ or ‘Enable Broadcast/Multicast’ section of most routers administration screens and will stop network flooding attacks like Smurfs, Fraggles, and other types of DoS attacks that rely on directed broadcast traffic.
- Disable the ICMP Router Discovery Protocol (IRDP) if it is enabled, as this can cause routers to forward ping requests between networks. For Windows machines, set “Start Registry” – type in regedit and hit enter – navigate down to: HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > TcpipParameters and add a DWORD key called “DisableRouterDiscovery” (without the quotes). Then set it to ‘one’ to disable router discovery.
- Use firewall software that can detect this type of traffic and block accordingly.
- Many hosts can be configured to ignore echo requests from outside their network, which is an effective way of preventing the attack even if the packets are not blocked by a firewall (packets with internal source IPs will still reach them normally). Configuration varies per host: for Unix machines it’s usually under /etc/sysctl.conf and might look like: net.ipv[46].icmp_echo_ignore_all = 0
- Use a network monitor or sniffer to detect the attack and record the source IP of attack packets, then report them to your ISP and/or other appropriate parties such as CERT (see below). This may cause legal problems for the attacker, but you have to balance that with your own desire for privacy.
- If you are using Linux Operating System then there is a smurf protection tool called pdbedit which can help to prevent Smurf attacks. The simplest way of preventing this type of attack is by configuring your router so that it does not forward broadcast packets.
Smurf Attack Transmission And Effects
The tool for this attack is generally an application that sends ICMP packets with the “echo” request. This can be initiated by a single computer, but it is most effective when multiple computers are used to send these requests in what’s called a “smurf amplifier“. When executed properly, this type of attack has the ability to shut down networks and entire regions if sent over large enough scales.
This can cause a devastating effect on the victim’s machine, rendering it unusable for minutes- or even hours depending on how many packets are generated by its computer and neighboring machines.
Conclusion
The smurf attack is a denial-of-service (DoS) technique that relies on network traffic flooding. To prevent this type of attack is to configure your router so that it doesn’t forward direct broadcast traffic. Another way to protect yourself from smurf attacks is by using a firewall software that can detect and block accordingly, or configuring hosts to ignore echo requests from outside their network.
