Smurfing
From Computing and Software Wiki
| Line 1: | Line 1: | ||
| - | '''Smurfing''' or a '''Smurf Attack''' is a | + | '''Smurfing''' or a '''Smurf Attack''' is a term used to describe a specific kind of [http://en.wikipedia.org/wiki/Denial_of_service Denial-of-Service](DoS) attack. The attack is achieved by the abuse of [http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol ICMP] [http://en.wikipedia.org/wiki/Ping echo (ping)] which is sent to broadcast address. This can cause significant a increase in traffic which may block legitimate traffic, thus creating a denial of service. Smurfing victimises two parties generally, the target (the one being attacked), and the amplifier (the intermediate host which involuntarily lends its services to the attacker). |
| + | |||
{| __TOC__ | {| __TOC__ | ||
|} | |} | ||
| Line 7: | Line 8: | ||
| [[Image:brainy.jpg|thumb|165px|''Brainy Smurf''<br>Smurfs, as a society, were against any sort of attack.]] | | [[Image:brainy.jpg|thumb|165px|''Brainy Smurf''<br>Smurfs, as a society, were against any sort of attack.]] | ||
|} | |} | ||
| + | =What is Smurfing?= | ||
| + | '''Smurfing''' is a banking industry term used to describe the act of splitting up a large financial transaction into several smaller ones to avoid scrutiny from regulators.[1] "Smurfing" is originally derived from a cartoon, [http://en.wikipedia.org/wiki/Smurfs The Smurfs], which consisted of a large society of many small individuals. The coining of the term is attributed to Miami-based lawyer, Gregory Baldwin in the 1980s.[1] | ||
| + | '''Smurging''' or a '''Smurf Attack''' in the context of network security describes the act of many small ICMP pings being used to create very large network traffic congestion. The "smurf" attack's cousin is called '''[http://en.wikipedia.org/wiki/Fraggle_attack Fraggle]''', which uses [http://en.wikipedia.org/wiki/User_Datagram_Protocol UDP] echo packets in the same fashion as the ICMP echo packets. It was a simple re-write of "smurf".[2] | ||
| - | + | =How does a Smurf Attack take place?= | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | + | ||
| - | + | ||
| - | + | ||
| - | + | ||
{|align="right" | {|align="right" | ||
|- | |- | ||
| Line 23: | Line 20: | ||
In order for a Smurf Attack to take place there are three parties which need to be considered. First is the attack who orchestrates the attack. Second is the amplifier, who is usually another victim of the attack, and lastly, the target. | In order for a Smurf Attack to take place there are three parties which need to be considered. First is the attack who orchestrates the attack. Second is the amplifier, who is usually another victim of the attack, and lastly, the target. | ||
===The Attacker=== | ===The Attacker=== | ||
| - | The attack itself is fairly simple. However the attacker will need a few things before the attack can be carried out. First the attacker will need a fast connection to the internet, and will need to find a large network, or a number of networks, that is attached to the Internet by a router that will forward ICMP requests. This network is the amplifier. The attacker will then send a ping request with a [http://en.wikipedia.org/wiki/IP_address_spoofing spoofed] source address (the address of the target) to the [http://en.wikipedia.org/wiki/Broadcast_address broadcast address] of the amplifier. The attacker has completed his portion of the attack. | + | The attack itself is fairly simple. However the attacker will need a few things before the attack can be carried out. First the attacker will need a fast connection to the internet, and will need to find a large network, or a number of networks, that is attached to the Internet by a router that will forward ICMP requests. This network is the amplifier. The attacker will then send a ping request with a [http://en.wikipedia.org/wiki/IP_address_spoofing spoofed] source address (the address of the target) to the [http://en.wikipedia.org/wiki/Broadcast_address broadcast address] of the amplifier. The attacker has completed his portion of the attack.[3] |
===The Amplifier=== | ===The Amplifier=== | ||
| - | An amplifier is a large network that is connected to the internet with a router. The router must be able to perform an IP broadcast. When the router receives traffic to the broadcast address, it will forward the message to all the hosts on the network. If the router receives and broadcasts an ICMP ping request, most of the hosts will reply to the source address of the message. This means that if there are 500 hosts which reply to the IP broadcast, then for every 1 ping request to that amplifier, 500 ping relies are sent. When an attacker spoofs the source address of the ping requests, rather than the pings replies going back to the attacker, they will go to the spoofed address (i.e. the victim). If the attacker has a fast connection, then it can send several ping requests very quickly. The amplifier is assumed to have a much faster connection (i.e. T3) to accommodate the ping replies. | + | An amplifier is a large network that is connected to the internet with a router. The router must be able to perform an IP broadcast. When the router receives traffic to the broadcast address, it will forward the message to all the hosts on the network. If the router receives and broadcasts an ICMP ping request, most of the hosts will reply to the source address of the message. This means that if there are 500 hosts which reply to the IP broadcast, then for every 1 ping request to that amplifier, 500 ping relies are sent. When an attacker spoofs the source address of the ping requests, rather than the pings replies going back to the attacker, they will go to the spoofed address (i.e. the victim). If the attacker has a fast connection, then it can send several ping requests very quickly. The amplifier is assumed to have a much faster connection (i.e. T3) to accommodate the ping replies.[4] |
===The Target=== | ===The Target=== | ||
| Line 32: | Line 29: | ||
<br clear=all/> | <br clear=all/> | ||
| - | + | =Prevention= | |
To prevent a router from being an amplifier, two simple configurations need to be implemented. | To prevent a router from being an amplifier, two simple configurations need to be implemented. | ||
* Routers and individual hosts should not respond to ping requests to broadcast addresses. | * Routers and individual hosts should not respond to ping requests to broadcast addresses. | ||
| - | * Routers should not forward packets directed to broadcast address. | + | * Routers should not forward packets directed to broadcast address.[5] |
An example of how to configure a router so that packets are not forwarded to broadcast addresses would be: | An example of how to configure a router so that packets are not forwarded to broadcast addresses would be: | ||
<code>no ip directed-broadcast</code> | <code>no ip directed-broadcast</code> | ||
| - | This configuration is for a [http://en.wikipedia.org/wiki/Cisco_Systems Cisco] router. | + | This configuration is for a [http://en.wikipedia.org/wiki/Cisco_Systems Cisco] router.[5] |
| - | Another router configuration is to filter ICMP requests by source addresses. By applying a filter which will reject any outgoing packets that contain a source address from a different network, you eliminate the spoofing element of a Smurf attack. | + | Another router configuration is to filter ICMP requests by source addresses. By applying a filter which will reject any outgoing packets that contain a source address from a different network, you eliminate the spoofing element of a Smurf attack.[6] |
It is important to note that these prevention techniques apply only to protecting a network form being an amplifier or the source of an attack. A similar procedure is required to prevent a Fraggle attack. If, however, the security mechanisms don't adequately enforce the [http://en.wikipedia.org/wiki/Security_policy security policy] of the network, then these prevention techniques can easily be by-passed. | It is important to note that these prevention techniques apply only to protecting a network form being an amplifier or the source of an attack. A similar procedure is required to prevent a Fraggle attack. If, however, the security mechanisms don't adequately enforce the [http://en.wikipedia.org/wiki/Security_policy security policy] of the network, then these prevention techniques can easily be by-passed. | ||
| - | + | =References= | |
| - | + | [http://en.wikipedia.org/wiki/Smurfing_%28crime%29] Structuring | |
| - | + | ||
| - | + | [http://www.pentics.net/denial-of-service/white-papers/smurf.cgi] The Lastest In Denial Of Service Attacks: "Smurfing" | |
| - | + | ||
| - | + | [http://faculty.ed.umuc.edu/~meinkej/inss690/cummins/cummins.htm] Information Warfare Going on the Offensive | |
| - | + | ||
| - | + | [http://www.networkworld.com/archive/1999b/0222gearhead.html] Attacked by smurf | |
| - | + | ||
| + | [http://en.wikipedia.org/wiki/Smurf_attack] Smurf attack | ||
| + | |||
| + | [http://www.academ.com/nanog/oct1997/smurfing/sld001.htm] The Lastest In Denial Of Service Attacks: "Smurfing" | ||
| + | |||
| + | =Also See= | ||
| + | [[TCP/IP_Application_Development]] | ||
| + | |||
| + | [[The_Great_Firewall_of_China]] | ||
| + | |||
| + | [[Designing_a_Small_Business_Intranet]] | ||
| + | |||
| + | [[The_Five-Layer_TCP/IP_Model:_Description/Attacks/Defense]] | ||
| + | |||
| + | [[Social_engineering]] | ||
| + | |||
| + | |||
| + | =External Links= | ||
| + | [http://www.webopedia.com/TERM/S/smurf.html smurf] | ||
| + | |||
| + | [http://en.wikipedia.org/wiki/Ip_spoofing IP Spoofing] | ||
| + | |||
| + | [http://www.javvin.com/networksecurity/SmurfAttack.html Smurf Attack and Fraggle Attack] | ||
| + | |||
| + | [http://www-arc.com/sara/cve/Possible_DoS_problem.html Possible DoS (fraggle) Problem] | ||
| + | |||
| + | [ftp://ftp.isi.edu/in-notes/rfc2267.txt Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing] | ||
<hr> | <hr> | ||
| - | --[[User:Shahinrs|Shahinrs]] | + | |
| + | --[[User:Shahinrs|Shahinrs]] 22:40, 13 April 2008 (EDT) | ||
Current revision as of 02:40, 14 April 2008
Smurfing or a Smurf Attack is a term used to describe a specific kind of Denial-of-Service(DoS) attack. The attack is achieved by the abuse of ICMP echo (ping) which is sent to broadcast address. This can cause significant a increase in traffic which may block legitimate traffic, thus creating a denial of service. Smurfing victimises two parties generally, the target (the one being attacked), and the amplifier (the intermediate host which involuntarily lends its services to the attacker).
 Smurfs, as a society, were against any sort of attack. |
Contents |
What is Smurfing?
Smurfing is a banking industry term used to describe the act of splitting up a large financial transaction into several smaller ones to avoid scrutiny from regulators.[1] "Smurfing" is originally derived from a cartoon, The Smurfs, which consisted of a large society of many small individuals. The coining of the term is attributed to Miami-based lawyer, Gregory Baldwin in the 1980s.[1]
Smurging or a Smurf Attack in the context of network security describes the act of many small ICMP pings being used to create very large network traffic congestion. The "smurf" attack's cousin is called Fraggle, which uses UDP echo packets in the same fashion as the ICMP echo packets. It was a simple re-write of "smurf".[2]
How does a Smurf Attack take place?
In order for a Smurf Attack to take place there are three parties which need to be considered. First is the attack who orchestrates the attack. Second is the amplifier, who is usually another victim of the attack, and lastly, the target.
The Attacker
The attack itself is fairly simple. However the attacker will need a few things before the attack can be carried out. First the attacker will need a fast connection to the internet, and will need to find a large network, or a number of networks, that is attached to the Internet by a router that will forward ICMP requests. This network is the amplifier. The attacker will then send a ping request with a spoofed source address (the address of the target) to the broadcast address of the amplifier. The attacker has completed his portion of the attack.[3]
The Amplifier
An amplifier is a large network that is connected to the internet with a router. The router must be able to perform an IP broadcast. When the router receives traffic to the broadcast address, it will forward the message to all the hosts on the network. If the router receives and broadcasts an ICMP ping request, most of the hosts will reply to the source address of the message. This means that if there are 500 hosts which reply to the IP broadcast, then for every 1 ping request to that amplifier, 500 ping relies are sent. When an attacker spoofs the source address of the ping requests, rather than the pings replies going back to the attacker, they will go to the spoofed address (i.e. the victim). If the attacker has a fast connection, then it can send several ping requests very quickly. The amplifier is assumed to have a much faster connection (i.e. T3) to accommodate the ping replies.[4]
The Target
The target is generally a specific server or small network. Upon receiving the ICMP replies, the target is no longer able to make its services available to its intended users since it is busy processing these ICMP messages. This creates a DoS and render the target inaccessible to other users.
Prevention
To prevent a router from being an amplifier, two simple configurations need to be implemented.
- Routers and individual hosts should not respond to ping requests to broadcast addresses.
- Routers should not forward packets directed to broadcast address.[5]
An example of how to configure a router so that packets are not forwarded to broadcast addresses would be:
no ip directed-broadcast
This configuration is for a Cisco router.[5]
Another router configuration is to filter ICMP requests by source addresses. By applying a filter which will reject any outgoing packets that contain a source address from a different network, you eliminate the spoofing element of a Smurf attack.[6]
It is important to note that these prevention techniques apply only to protecting a network form being an amplifier or the source of an attack. A similar procedure is required to prevent a Fraggle attack. If, however, the security mechanisms don't adequately enforce the security policy of the network, then these prevention techniques can easily be by-passed.
References
[1] Structuring
[2] The Lastest In Denial Of Service Attacks: "Smurfing"
[3] Information Warfare Going on the Offensive
[4] Attacked by smurf
[5] Smurf attack
[6] The Lastest In Denial Of Service Attacks: "Smurfing"
Also See
TCP/IP_Application_Development
Designing_a_Small_Business_Intranet
The_Five-Layer_TCP/IP_Model:_Description/Attacks/Defense
External Links
Smurf Attack and Fraggle Attack
Possible DoS (fraggle) Problem
--Shahinrs 22:40, 13 April 2008 (EDT)
