When was the first Smurf Attack?
Dan Moschuk, aka TFreak in the late 1990s, wanted to show off his new computer program that would generate large amounts of traffic on victim computers. He created a malicious code called “smurf” and unleashed it onto unsuspecting people’s computers. The first attack happened in late 1990 when he attacked two UNIX systems with over 100 smurfs each and sent them into an endless loop by sending ping packets to themselves.
What is a “smurf” attack?
- A smurf attack is a type of denial-of-service (DOS) cyberattack where an offensive user deploys a high number of Internet Control Message Protocol (ICMP) echo request packets (“pings”) to computers on the same network with the intention of overwhelming those systems and causing them to be unable to respond or exhaust their connection bandwidth.
- The goal of a smurf attack is the same as any DOS attack: to make systems unavailable and deny service. Smurfs would send these ping requests using other people’s machines, which were unknowingly part of the botnet (a collection of compromised computers). Since most routers will reply to pings by default, they would start flooding the victim with ping replies.
- To accomplish this, the attacker would send out a large number of ICMP echo requests to Internet broadcast addresses via spoofed IP address from the intended target’s network by using an smurf amplifier or reflector which responds to pings sent to that host with another set of packets directed at the broadcast addresses on other networks. This creates a large number of packets sent to the target computer. Most hosts on typical home or small business networks will respond to these requests.
Why is it called a smurf attack?
The small ICMP packet generated by the tool causes big trouble for a victim. It is called a smurf attack because it makes use of the Internet Control Message Protocol (ICMP) echo request packets that are named after the “Smurfs” cartoon characters.
In the early days of networked computing, a system could be brought to its knees by an attack on any other computer attached to the same network. In particular, many networks used a broadcast address as their local host address and thus responded to pings sent directly at them. This often resulted in large volumes of ICMP traffic being generated by each system, although the network routers could handle it.
Here’s how a Smurf attack works:
- First the Smurf malware builds a spoofed packet that has its source address set to the real IP address of the targeted victim.
- The packet is then goes over an IP broadcast address of a router or firewall, which in turn sends requests to all host addresses within the broadcasting network, increasing the number of requests by the number of networked devices on the network.
- All devices within the network gets the request from the broadcaster and then replies to the spoofed address of the offender with an ICMP Echo Reply.
- The target victim then receives a deluge of ICMP Echo Reply packets, potentially becoming overwhelmed and resulting in denial-of-service to legitimate traffic.
What are the effects of smurf attacks?
- A single computer sending out a small number of packets can bring down another computer. The reason is that the receiving computer spends a significant amount of time handling these packets. During this period, it is unable to process any other messages from the network and thus becomes unavailable for legitimate traffic as well as being susceptible to further smurf attack.
- In addition, many computers on home networks are configured to use their local address (typically in the 192.168.0 or 192.168.178 range) as their broadcast address and therefore responding to pings sent directly at them, rather than sending the packets onto the internet connection (which is typically handled by a router). This results in large volumes of traffic being generated locally on each system which can quickly consume all available bandwidth between two networks when they are connected.
How can it be fixed?
An effective method of mitigating the effect of smurf attacks is to disable or filter ICMP echo requests to broadcast addresses on routers and other devices that support these filters, which prevents them from being sent by machines beyond your control in the first place. This reduces the risk of systems participating in a smurf attack.
How can smurf attacks be prevented?
Smurfs would send these ping requests using other people’s machines, which were unknowingly part of the botnet. The best way to prevent a smurf attack is to have all routers and switches on your network filter ICMP echo requests to the broadcast address. This reduces your exposure to smurf attacks by eliminating a common attack vector on many networks of that time period.
How to check if your network is suffering from a smurf attack?
You can check your network status by using netstat command or you can use third party tools like Angry IP Scanner. This will help to find any systems on your network that are sending out large numbers of packets and thus should be investigated further for possible infection with malware such as a virus, trojan horse, worm or spyware.
In this blog post, we learned about various types of smurf attacks and their impact. We discussed how a single computer sending out a small number of packets can bring down another computer. Furthermore, we learned how to prevent smurf attacks by having all routers and switches on your network filter ICMP echo requests to the broadcast address.