Smurfing
From Computing and Software Wiki
Smurfing or a Smurf Attack is a form of Denial-of-Service(DoS) attack where an attacker floods a target with ICMP echo (ping) traffic.
Contents |
What is Smurfing?
Smurfing is a banking industry term used to describe the act of splitting up a large financial transaction into several smaller ones to avoid scrutiny from regulators. "Smurfing" is originally derived from a cartoon, The Smurfs, which consisted of a large society of many small individuals. The coining of the term is attributed to Miami-based lawyer, Gregory Baldwin in the 1980s.
Smurging or a Smurf Attack in the context of network security describes the act of many small ICMP pings being used to create very large network traffic congestion. The "smurf" attack's cousin is called Fraggle, which uses UDP echo packets in the same fashion as the ICMP echo packets. It was a simple re-write of "smurf".
How does a Smurf Attack take place?
In order for a Smurf Attack to take place there are three parties which need to be considered. First is the attack who orchestrates the attack. Second is the amplifier, who is usually another victim of the attack, and lastly, the target.
The Attacker
The attack itself is fairly simple. However the attacker will need a few things before the attack can be carried out. First the attacker will need a fast connection to the internet, and will need to find a large network, or a number of networks, that is attached to the Internet by a router that will forward ICMP requests. This network is the amplifier. The attacker will then send a ping request with a spoofed source address (the address of the target) to the broadcast address of the amplifier. The attacker has completed his portion of the attack.
The Amplifier
An amplifier is a large network that is connected to the internet with a router. The router must be able to perform an IP broadcast. When the router receives traffic to the broadcast address, it will forward the message to all the hosts on the network. If the router receives and broadcasts an ICMP ping request, most of the hosts will reply to the source address of the message. This means that if there are 500 hosts which reply to the IP broadcast, then for every 1 ping request to that amplifier, 500 ping relies are sent. When an attacker spoofs the source address of the ping requests, rather than the pings replies going back to the attacker, they will go to the spoofed address (i.e. the victim). If the attacker has a fast connection, then it can send several ping requests very quickly. The amplifier is assumed to have a much faster connection (i.e. T3) to accommodate the ping replies.
The Target
The target is generally a specific server or small network. Upon receiving the ICMP replies, the target is no longer able to make its services available to its intended users since it is busy processing these ICMP messages. This creates a DoS and render the target inaccessible to other users.
Prevention
To prevent a router from being an amplifier, two simple configurations need to be implemented.
- Routers and individual hosts should not respond to ping requests to broadcast addresses.
- Routers should not forward packets directed to broadcast address.
An example of how to configure a router so that packets are not forwarded to broadcast addresses would be:
no ip directed-broadcast
This configuration is for a Cisco router.
Another router configuration is to filter ICMP requests by source addresses. By applying a filter which will reject any outgoing packets that contain a source address from a different network, you eliminate the spoofing element of a Smurf attack.
It is important to note that these prevention techniques apply only to protecting a network form being an amplifier or the source of an attack. A similar procedure is required to prevent a Fraggle attack. If, however, the security mechanisms don't adequately enforce the security policy of the network, then these prevention techniques can easily be by-passed.
References
- smurf
- The Lastest In Denial Of Service Attacks: "Smurfing"
- Information Warfare Going on the Offensive
- Smurf attack
- Attacked by smurf
- Possible DoS (fraggle) Problem
- Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing
- Smurf Attack and Fraggle Attack
--Shahinrs 20:33, 13 April 2008 (EDT)