Smurf Attack Definition
A Smurf Attack is a DDoS (distributed denial of service) attack in which a large number of Internet Control Message Protocol (ICMP) packets with the victim’s fake source IP are transmitted to a computer network using a broadcast IP address.
Most devices on a network, by default, respond to this by sending a response to the source IP address.
If the number of machines on the system that receive and respond to these packages is very large, the victim’s computer will be flooded with traffic. This can slow the victim’s computer to the point where it is impossible to work on it.
The steps followed by a Smurf attack are the following:
- First, the malware creates a network packet attached to a fake IP address; This is a technique called “impersonation.”
- The packet contains an ICMP ping message that asks the network nodes to receive the packet to send a response back.
- Subsequently, these responses or “echoes” are sent back to the IP addresses of the network, configuring an infinite cycle.
- When combined with a broadcast over IP (a method that allows sending the malicious packet to all IP addresses on the network), the Smurf attack can cause a complete denial of service quickly.
History
The original smurf.c was written by Dan Moschuk, also known as TFreak.
In the late 1990s, many IP networks participated in the Smurf attacks if requested (that is, they responded to ICMP requests sent to broadcast addresses).
The name comes from the idea of very small but numerous attackers (like the smurfs), overwhelming a much larger opponent.
Today, administrators can make a network immune to such abuse; therefore, very few networks remain vulnerable to smurf attacks. A variant of this attack is the Fraggle.
How to protect yourself from Smurf Attack?
The name Smurf of this attack sounds nice, but it poses real risks if it manages to saturate the servers.
If you disable broadcasting over IP and use reliable detection tools, you can limit the probability and impact of this attack.
Here are some of the steps you can take to mitigate Smurf attacks:
- Make sure to block the direct broadcast traffic that enters the network.
- Configure hosts and routers to not respond to ICMP echo requests.
A variant of the Smurf attack is the Fraggle attack. This attack is the same as Smurf. But instead of sending an ICMP echo request to the direct broadcast address, it sends UDP packets. In the case of a Fraggle attack, follow the same mitigation process.