The Smurf Attack is a way of generating significant computer network traffic on a victim network. This is a type of denial-of-service attack that floods a system via spoofed broadcast ICMP requests.
This attack relies on a perpetrator sending a large amount of ICMP requests to IP broadcast addresses, all of which have a spoofed source IP address of the intended victim. If the routing device delivering traffic to those broadcast addresses delivers the IP broadcast to all hosts (for example via a layer 2 broadcast), most hosts on that IP network will take the ICMP request and reply to it, multiplying the traffic by the number of hosts responding. On a multi-access broadcast network, hundreds of machines might reply to each packet. According to CERT-CC the name Smurf comes from name of one of the exploit programs used to execute the attack.
In the late 1990s, many IP networks would participate in Smurf attacks (that is, they would respond to ICMP requests to broadcast addresses). Today, thanks largely to the ease with which administrators can make a network immune to this abuse, very few networks remain vulnerable to Smurf attacks.
The fix is two-fold:
- Configure individual hosts and routers not to respond to ICMP requests or broadcasts.
- Configure routers not to forward packets directed to broadcast addresses. Until 1999, standards required routers to forward such packets by default, but, in that year, the standard was changed to require the default to be not to forward.
Another proposed solution is network ingress filtering which rejects the attacking packets on the basis of the forged source address.
An example of configuring a router not to forward packets to broadcast addresses, for a Cisco router, is:
Router(config-if)# no ip directed-broadcast
(This example does not prevent a network from becoming the target of Smurf attack; it merely prevents the network from "attacking" other networks, or, better said, taking part in a Smurf attack.)
A Smurf amplifier is a computer network that lends itself to being used in a Smurf attack. Smurf amplifiers act to worsen the severity of a Smurf attack because they are configured in such a way that they generate a large number of ICMP replies to the victim at the spoofed source IP address.
Famous quotes containing the word attack:
“A great deal of unnecessary worry is indulged in by theatregoers trying to understand what Bernard Shaw means. They are not satisfied to listen to a pleasantly written scene in which three or four clever people say clever things, but they need to purse their lips and scowl a little and debate as to whether Shaw meant the lines to be an attack on monogamy as an institution or a plea for manual training in the public school system.”
—Robert Benchley (1889–1945)