A smurf attack was initially a C-based code written by renowned hacker Dan Moschuk, aka TFreak, in 1997. The attack got its name from the 1980s cartoon “The Smurfs” since Dan Moschuk saw the flood of packets, like the tiny Smurfs, overwhelming a mammoth opponent through sheer numbers. He named the original file as Smurf.c in relation to that.
A smurf attack is a distributed denial-of-service (DDoS) attack initiated by a spoofed ICMP Echo request to a broadcast address. Devices receiving the request respond with echo replies, which mimics a botnet-like situation generating a high ICMP traffic rate, and eventually overwhelms the Victim network and system resources.
One of the first attacks using this approach took place in 1998 and first targeted the University of Minnesota. The attack halted the internet traffic, eventually affecting the Minnesota Regional Network, a statewide internet service provider (ISP). The impact was so intense that computers across the state shut down, the networks slowed down, and users reported even data loss incidents.
The code is available at Github and can be accessed using this link.
Before we understand how the Smurf attack works, we need to understand the following terms:
What is ICMP?
ICMP stands for Internet Control Message Protocol, a network layer protocol used by network devices to identify network communication issues. ICMP is critical for testing and error reporting; however, attackers can also exploit it for distributed denial-of-service (DDoS) attacks.
ICMP helps to understand whether the data is reaching its intended recipient in a timely manner. Commonly, the ICMP protocol is used on network devices, such as routers, switches, etc. Widely used network utilities ping and traceroute (tracert in windows) uses ICMP protocol.
What is a DDoS attack?
Distributed denial-of-service (DDoS) is a powerful tool used by Cybercriminals to attack target websites and services across the Internet to overwhelm them with much higher traffic than the victim server or network can accommodate. The end goal of DDoS is to render the website or service inoperable.
What is a Broadcast Domain?
A broadcast domain is a group of devices that can receive broadcast frames from one another. E.g., if device A sends a broadcast frame, and devices B and C receive the frame, all three devices are said to be in a single broadcast domain.
Broadcast frames are flooded out all ports on a bridge/switch (by default), the devices connected to the bridge/switch are in a common broadcast domain. The devices connected to the bridge/switch are in a common broadcast domain.
What is a Broadcast IP Address?
A Broadcast IP Address is an address that enables transmission to every node in a local network. The Broadcast Address is the highest number in its class; e.g., the broadcast address of a Class C 192.168.16.0/24 network will be 192.168.16.255.
How Does a Smurf Attack Work?
Typically, host A sends an ICMP Echo (ping) request to host B; If ICMP is enabled, host B triggers an automatic response. The time taken for the response to reach host A is the metric of the virtual distance between hosts A & B.
However, if a ping request is sent to the broadcast address, every host in the broadcast domain will respond. In a Smurf attack, perpetrators abuse this function to amplify the attack traffic.
Smurf Attack takes place in the following steps:
- Attackers identify the target server (Say B) and its IP Address and the Intermediary Network (N), also known as Smurf Amplifier.
- The attacker creates a spoofed ICMP Echo request from system A using the target server’s IP Address as the source address. Attackers can use the Smurf.c program and build on top of it if required.
- The attacker sends the request to the Broadcast Address of the Intermediary network N, which in turn hits all the hosts in the Network N.
- Each host in Intermediary Network N sends an automated Echo response targeted to the spoofed IP Address (Belongs to the Victim IP Address) mimicking the effect of a Bot Network. The higher the number of host systems in the network will be, the higher will be the volume of this amplified response.
- The target server B floods with too many echo responses that can overwhelm the system.
The services on the intermediate network N are also likely to be degraded during the attack.
What Are the Types of Smurf Attacks?
Smurf Attacks can be categorized primarily into two different types:
1. Basic Smurf attack
A basic smurf attack is when the attacker overwhelms the target system with infinite ICMP request packets using an Intermediary network by mimicking a Bot Network traffic.
2. Advanced Smurf attack
An Advanced Smurf Attack is similar to a basic attack when it starts; however, the program or malware allows the attacker to change the spoofed source IP address dynamically. That enables the attacker to target multiple destinations (victims) simultaneously and impact a significant part of the Web.
How to mitigate a Smurf attack?
The use of the following steps can easily help mitigate smurf attack:
- Configure the routers and hosts to ignore packets sent to the broadcast address of a subnet that is not directly attached to the sending machine.
- Disable forwarding of packets directed to broadcast addresses in the routers. This configuration is the default standard since 1999.
Additionally, ISPs should implement ingress filtering to reject the attacking packets carrying spoofed source addresses.
You can configure legacy Cisco Routers to disable IP directed broadcast using the following command:
Router(config-if)# no ip directed-broadcast
IP directed broadcast by default is disabled in IOS version 12.0 and higher, so the command “no ip directed-broadcast” will not show in the running configuration. Please verify that the running configuration does not contain “ip directed-broadcast”.
For versions before 12.0, ensure that the command “no IP directed-broadcast” is shown in the running-config.
What is a Smurf Amplifier?
A Smurf Amplifier is an Intermediary network that lends itself to being (ab)used in a Smurf attack. Large Smurf amplifiers worsen the severity of a Smurf attack since they generate a large number of ICMP replies to flood the victim at the spoofed source IP address.
What is the Attack Amplification Factor (AAF)?
Attack Amplification Factor (AAF) is a term framed by Dr. Sanjeev Kumar, a professor at The University of Texas. His research paper represents the degree of bandwidth enhancement or amplification that original attack traffic undergoes using the Smurf amplifiers during its transmission towards the victim system.
What is a Fraggle Attack?
A Fraggle attack is a variant of the Smurf attack that involves sending a large amount of spoofed UDP echo packets (UDP port 7) to the router’s broadcast address within a network.
Since the routers (post-1999) no longer forward packets directed at their broadcast addresses, most networks are now immune to Fraggle (& Smurf) attacks.
Smurf attacks were easy to execute before late 1999 since most networks were poorly configured and could not resist such abuse. However, since then, hosts and routers have been routinely configured to not respond to any ICMP requests addressed on the IP broadcast level or even to forward requests that they receive.
However, a considerable threat is using legacy devices running earlier versions of IOS that attackers can easily abuse. Please refer to our earlier blog post to protect the Legacy Systems.