This article needs additional citations for verification. (October 2015)
The Smurf attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP broadcast address. Most devices on a network will, by default, respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, the victim's computer will be flooded with traffic. This can slow down the victim's computer to the point where it becomes impossible to work on.
The original smurf was written by Dan Moschuk, aka TFreak.
In the late 1990s, many IP networks would participate in Smurf attacks if prompted (that is, they would respond to ICMP requests sent to broadcast addresses). The name comes from the idea of very small, but numerous attackers overwhelming a much larger opponent (see Smurfs). Today, administrators can make a network immune to such abuse; therefore, very few networks remain vulnerable to Smurf attacks.
The fix is two-fold:
- Configure hosts and routers to ignore packets where the source address is a broadcast address; and
- Configure routers to not forward packets directed to broadcast addresses. Until 1999, standards required routers to forward such packets by default. Since then, the default standard was changed to not forward such packets.
Mitigation on a Cisco router
An example of configuring a router so it will not forward packets to broadcast addresses, for a Cisco router, is:
Router(config-if)# no ip directed-broadcast
(This example does not protect a network from becoming the target of a Smurf attack; it merely prevents the network from participating in a Smurf attack.)
A Smurf amplifier is a computer network that lends itself to being used in a Smurf attack. Smurf amplifiers act to worsen the severity of a Smurf attack because they are configured in such a way that they generate a large number of ICMP replies to the victim at the spoofed source IP address. Attack Amplification Factor (AAF) is a term coined by Dr. Sanjeev Kumar, professor at The University of Texas in his published paper to represent the degree of bandwidth enhancement or amplification that an original attack traffic undergoes (with the help of Smurf amplifiers) during its transmission towards the victim computer.
It works very similarly to the Smurf attack in that many computers on the network will respond to this traffic by sending traffic back to the spoofed source IP of the victim, flooding it with traffic.
- "Tfreak". Hackepedia. 2013-03-28. Retrieved 2019-11-13.
- For example, netscan.org (Web Archive) showed 122,945 broken networks as of Jan 25, 1999, but only 2,417 as of Jan 06, 2005.
- D. Senie, "Changing the Default for Directed Broadcasts in Routers", RFC 2644, BCP 34
- P. Ferguson and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", RFC 2827, BCP 38
- "A Cisco Guide to Defending Against Distributed Denial of Service Attacks". Cisco. Retrieved 2019-09-26.
- S. Kumar (5 July 2007). "Smurf-based Distributed Denial of Service (DDoS) Attack Amplification in Internet". IEEE Xplore. Retrieved 2020-12-30.
- Hendric, William (23 March 2016). "Fraggle attack".
- Anonymous. Maximum Security, p. 310, at Google Books
S. Kumar, "Smurf-based Distributed Denial of Service (DDoS) Attack Amplification in Internet," Second International Conference on Internet Monitoring and Protection (ICIMP 2007), San Jose, CA, USA, 2007, pp. 25-25, doi: 10.1109/ICIMP.2007.42.