What Is a Smurf Attack? Definition & Protection
Table of Contents
- By Greg Brown
- Oct 14, 2022
Smurf attacks are not the cute, short adorable blue characters that set up camp in your cabinets. These incursions are a form of distributed denial of service (DDoS) attacks sent to multiple IP addresses, disrupting a network’s bandwidth.
It is an older strategy that’s been largely phased out of use when attacking businesses, government sites, or other more sophisticated targets. However, smurf attacks may still see some use and are more commonly seen in smaller acts of vandalism.
Smurf malware code exploits the internet protocol (IP) and the Internet Control Message Protocols (ICMP). The malware creates packets containing ping messages, asking network nodes to send back a reply. An infinite loop is created when Smurf malware creates fake echo or reply requests sent back to the IP address.
Echo replies contain a fake IP address, the source server’s IP address. Smurf attacks are similar in nature to a ping flood, which is a server overwhelmed with ICMP echo requests. The server can’t handle the traffic, and it eventually halts communications with the user. The potential for damage is amplified by exploiting the characteristics of a broadcast network and Smurf code.
Smurf attacks are some of the simplest and most effective malware codes, targeting any size company or government facility. They got their unique name from an exploit tool used in the 1990s dubbed “smurf.c,” which created a large amount of small ICMP packets.
When attackers combine the Smurf code with IP Broadcasting, attacks cause a total denial of service for any network it engages. Smurf attacks can also be a trojan, downloaded from an unverified website, or unmonitored email address. Trojan code may lie dormant inside a computer system or other device for weeks, even months, until activated. Smurf code can be activated remotely or by another piece of software booting up.
Smurf attack code works best on outdated corporate and government networks with hundreds of network nodes. The same message packet that gets sent to one IP is sent to all, completely jamming up the works and causing a lot of overloads and DDoS error codes.
Smurf attacks are separated into two types based on the scale of the attempt. Basic attacks are designed to flood one user with echo packets and shut down their connection. Advanced attacks use echo packets that can target multiple victims and take down large networks.
What is a Fraggle Attack?
Fraggle attacks, like Smurf attacks, are named after a species from a puppet TV series. Both attacks are performed identically except that Fraggle attacks flood networks with User Datagram Protocols (UDP) rather than ICMP.
Echo Requests, Responses, and Spoofing Explained
Let’s say you typed “www.type1.com” into your address bar. Typically, your system sends an ICMP echo request (ping message) to the web server on which “www.type1.com” is located. That web server would then send back an echo response message, otherwise known as an acknowledgment.
If both sides receive the ICMP packet, they communicate effectively, and the user should reach their destination without a problem.
The primary aim of a Smurf attack is to overload this communication by creating a “ping flood.” This entails a massive number of echo requests that prevent a server from sending back matching echo responses. The problem with this approach is that the attacker requires a lot of horsepowers. It isn’t feasible for one device to send enough echo requests to create a ping flood.
Smurf attackers got around this by leveraging sites with an IP Broadcast Address. Any echo request sent to a site with an IP Broadcast Address gets forwarded to every other host attached to its network. This tactic allows attackers to create multipoint connections from a single device. In other words, every site connected to the original one will receive a request and attempt to send back a response.
There’s no point in all this if the sites send their responses back to the attacker’s IP address. Instead, they’ll spoof an IP address on the ICMP packet identical to their victim’s. This causes all responses to redirect to the target server. Think of it as sending out 15,000 letters but putting the target’s return address on them all. Their mailbox becomes too full, and nothing else will fit.
For example, if “www.type1.com” has the IP address “220.127.116.11,” then the Smurf attacker would forge an ICMP request packet that says it originated from “18.104.22.168.”
University of Minnesota Attack
The first Smurf attack can be traced back to the early 1990s when a targeted attack was aimed at the University of Minnesota.
The Smurf code shut down many businesses across the entire state for more than an hour, with aftereffects felt for weeks. Reading CNET’s description of the event, it was apparent few people were familiar with a denial-of-service attack on their servers.
This Smurf attack reached so far because of a cooperative agreement between the university and one of the state’s largest internet providers at the time, MRNet. The two organizations shared bandwidth leading to slowed connections for any client sourcing their connection through MRNet.
Defense against Smurf attacks is extremely effective, and the problem is largely considered solved. Most modern routers come with default settings that naturally prevent the exploit. However, legacy systems may need some tweaking.
Filtering all incoming traffic, including packets and headers, is an excellent first step. Smurf attacks are a resource consumption malware attack code. Smurf aims to flood network resources with spoofed ICMP packets.
A Smurf attack’s ultimate goal is to use up all available bandwidth.
Mitigating a Smurf attack is about the router. Two configurations should be made to company routers, starting the mitigation of Smurf. These are minor adjustments but will do a lot to shut down the code.
- Disable IP broadcast addressing on all network routers
Make certain routers and other devices are configured to not forward or respond to ICMP echo requests.
Firewalls are another good step in preventing a Smurf attack. Ensure to configure any firewall to block pings formatted from a server outside the network.
Packet-filtering firewalls are helpful, but they do have limitations. With web traffic allowed, packet filtering firewalls do not block many web-based attacks. Network admins will need to make sure they distinguish between friendly and malicious traffic.
Stateful multi-layer inspection firewalls (SMLI) have a standard firewall configuration and will keep track of established connections. SMLI filters traffic based on state, port, protocol, and admin rules. The SMLI firewall is a step above the packet filtering firewall because of its multi-layer monitoring.
Scrubbing centers can filter the results and send clean data back to the company or government. Global network gear builders, such as Cisco, are quickly helping to mitigate the Smurf code by having a leading DDoS scrubbing center. The global cloud-based service allows vulnerable companies to pay for clean data.
Keep Your Information Protected
Modern corporate and government computer and network systems are constantly under siege from every imaginable piece of malware located around the globe. Network and system admins are getting paid well to keep out malicious code that can bring down a corporate network in minutes.
Each year brings new code and adorable names to keep the uninformed off-balance. Most new, malicious code is designed to find an entry by way of the uninformed and out-of-touch user.
Every corporate and government network user should have a sense of responsibility to eradicate malicious threats.