Networking / Beginners

Smurf Attack

The smurf attack is named after the source code employed to launch the attack (smurf.c). The smurf attack employs forged ICMP echo request packets and the direction of those packets to IP network broadcast addresses. The attack issues the ICMP ECHO_REQUEST to the broadcast address of another network. The attack spoofs as the source address the IP address of the system it wishes to target.

When the systems on the network to whose broadcast address the ECHO_REQUEST is sent receive the packet with the falsified source address (i.e., the return address), they respond, flooding the targeted victim with the echo replies. This flood can overwhelm the targeted victim's network. Both the intermediate and victim's networks will see degraded performance. The attack can eventually result in the inoperability of both networks.

There are steps that the intermediate network can take to prevent from being used in this way. The steps include configuring network devices not to respond to ICMP ECHO_REQUESTs and disabling IP directed broadcasts from passing the network routers. There are really no steps that the targeted victim can take to prevent this kind of attack. The only defense is contacting the intermediate network to stop the ECHO_REQUESTs from being relayed, once an organization determines that it is the victim of an attack.

Denial-of-service attacks are the most difficult to defend against, and, of the possible attacks, they require the least amount of expertise to launch. In general, organization should monitor for anomalous traffic patterns, such as SYN-ACK but no return ACKs. Since most routers filter incoming and outgoing packets, router-based filtering is the best defense against denialof- service attacks. Organizations should use packet filters that filter based on destination and sender address. In addition, they should always use SPAM/sendmail filters.

Keep in mind there is a tradeoff with packet and mail filtering. The filtering that is performed to detect denial-of-service attacks will slow network performance, which may frustrate an organization's end users and slow its applications. In addition, mail filtering will bounce some e-mails that really should be allowed through, which may also aggravate end users.

[Previous] [Contents]

In this tutorial:

  1. Threats and Attacks
  2. The OSI Reference Model
  3. TCP/IP Protocol Suite
  4. Threats, Vulnerabilities, and Attacks
  5. Attacks
  6. Viruses
  7. Worm
  8. Trojan Horses
  9. Trap Doors
  10. Logic Bombs
  11. Port Scanning
  12. Spoofs
  13. Sequence Number Spoofing
  14. DNS
  15. DNS Poisoning
  16. Redirects
  17. Password Cracking
  18. Sniffing
  19. War Dialing
  20. Denial of Service
  21. Ping of Death
  22. SYN Flooding
  23. SPAM
  24. Smurf Attack