Who Made The Term Smurf Attack?

Written by gigmocha in Uncategorized

Who Made The Term Smurf Attack?

Introduction

“The Smurf Attack” was named after the fictional blue dwarfs by Pierre Charles Baudouin and first described by him in his 1996 Phrack article “La deuxième guerre des boutons” (The Second War of the Buttons). The attack itself has been around since then, but it was not until 1999 that [the] method to amplify network traffic in order to launch such an attack became known.”

An old 2008 article from SANS ISC is often cited as a reference. At the bottom of that page there’s a link to Pierre-Marc Bureau’s 1996 paper .

In an ISC diary from 2011, James Morris writes: “I coined the term ‘smurf attack’ in 1999.” In another diary entry from 2007 , James Morris explains how he was involved with the early research on this attack vector and indirectly credits several people who were never mentioned before (in 2009):

“I’d like to give credit to Michal Zalewski for writing much of the packet analysis (he spent some time working for me at IBM), and also Paul Vixie & Art Manion – who I was largely responsible for uncovering the details of the vulnerability.”

In this thread from 2009, Michal Zalewski writes: “To be entirely honest with you, I’ve no idea who coined it. The first time I heard about that attack was when the draft-phrack article popped up on my mail queue. It had some kind of funny ASCII art depicting a network packet – which quickly got replaced by more classic representation in Phrack [November 1996].”

Why do we call this type of attack a Smurf Attack?

We called it a Smurf Attack because the first step to this attack is to send ICMP echo request (aka ping) packets with a forged source IP address of the target. These packets are called “echo” or “ping” requests. And because once upon a time there was a popular TV series about little blue dwarves (smurfs).

How does a Smurf Attack work?

In a Smurf attack, the attacker sends many ICMP echo requests from fake source addresses to the broadcast address of a network. In this kind of attack packets are sent with a forged source IP address of the target as the destination. These packets are called echo or ping requests. So it seems that those echo requests come from the target itself and naturally those requests will be replied to by all machines in that network which have enabled their reply to pings. And because every device in the same network receives these echo requests, each machine will send some data (larger than 64 bytes) towards the target even if it had no previous communication with the target at all. This causes a loss on throughput experienced by legitimate users who share the same network with the target.

What is a Smurf Attack?

In a nutshell, it’s an old-school network DOS attack that abuses the functionality of internet Control Message Protocol (ICMP). The attacker floods the target with large amounts of ICMP echo requests. The destination system then sends out the response to each packet received, thus sending back much more data in comparison to what was originally sent. If big enough packets are used in the flooding process then either complete networks or Internet service providers can be knocked offline. Nowadays this attack method is considered outdated because modern routers drop pings automatically and there are better amplification attacks available. But it still gets modest results in some cases when combined with other attacks or techniques like DNS reflection/amplification etc…

Smurf Attack is an old exploit that sends a large number of ICMP Echo packets to the broadcast address of the target network. This forms a flood on the network, causing loss in performance on all devices connected on that same network. The attacker’s computer sends out packets with spoofed source IP addresses toward an “innocent” machine of his choice. These packets are usually sent to port 7 or 9 which are used for echo and discard requests respectively. All machines send an answer back to this innocent machine thus creating a huge traffic on it.

What’s new in Smurf Vulnerability?

The vulnerability exists within all Network Driver Interface Specification (NDIS) implementations that allow an application to send raw traffic before filtering has been applied. The vulnerability itself appears due to lack of input validation in the ICMPv4 protocol.

Summary

A malicious user sends many ICMP echo requests (aka pings) to the broadcast address of a target network with a forged source IP address (usually that of the router). So it seems like these echo requests come from the router itself. And every device in this network receives these echo requests, each machine will send some data (larger than 64 bytes) towards this fake source address even if they had no previous communication with it at all. This causes loss of throughput experienced by legitimate users who share the same network with the target .

According to RFC 792 this kind of reply must be sent even if option (record route) is not enabled. So if option (record route) is not set, the victim will reply to the first system it hears about in these packets- which is usually its default gateway or last router on the path back to the source of this attack. Now, instead of returning an ICMP echo reply to the originator of ping requests, our machine shall reply with a packet directed towards the WAN/ ISP where the real machine behind the spoofed IP address resides.

Recent Posts