Smurfing

From Computing and Software Wiki

Revision as of 02:40, 14 April 2008 by Shahinrs (Talk)
(diff) ← Older revision | Current revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Smurfing or a Smurf Attack is a term used to describe a specific kind of Denial-of-Service(DoS) attack. The attack is achieved by the abuse of ICMP echo (ping) which is sent to broadcast address. This can cause significant a increase in traffic which may block legitimate traffic, thus creating a denial of service. Smurfing victimises two parties generally, the target (the one being attacked), and the amplifier (the intermediate host which involuntarily lends its services to the attacker).

Brainy Smurf
Smurfs, as a society, were against any sort of attack.

Contents

What is Smurfing?

Smurfing is a banking industry term used to describe the act of splitting up a large financial transaction into several smaller ones to avoid scrutiny from regulators.[1] "Smurfing" is originally derived from a cartoon, The Smurfs, which consisted of a large society of many small individuals. The coining of the term is attributed to Miami-based lawyer, Gregory Baldwin in the 1980s.[1]

Smurging or a Smurf Attack in the context of network security describes the act of many small ICMP pings being used to create very large network traffic congestion. The "smurf" attack's cousin is called Fraggle, which uses UDP echo packets in the same fashion as the ICMP echo packets. It was a simple re-write of "smurf".[2]

How does a Smurf Attack take place?

In order for a Smurf Attack to take place there are three parties which need to be considered. First is the attack who orchestrates the attack. Second is the amplifier, who is usually another victim of the attack, and lastly, the target.

The Attacker

The attack itself is fairly simple. However the attacker will need a few things before the attack can be carried out. First the attacker will need a fast connection to the internet, and will need to find a large network, or a number of networks, that is attached to the Internet by a router that will forward ICMP requests. This network is the amplifier. The attacker will then send a ping request with a spoofed source address (the address of the target) to the broadcast address of the amplifier. The attacker has completed his portion of the attack.[3]

The Amplifier

An amplifier is a large network that is connected to the internet with a router. The router must be able to perform an IP broadcast. When the router receives traffic to the broadcast address, it will forward the message to all the hosts on the network. If the router receives and broadcasts an ICMP ping request, most of the hosts will reply to the source address of the message. This means that if there are 500 hosts which reply to the IP broadcast, then for every 1 ping request to that amplifier, 500 ping relies are sent. When an attacker spoofs the source address of the ping requests, rather than the pings replies going back to the attacker, they will go to the spoofed address (i.e. the victim). If the attacker has a fast connection, then it can send several ping requests very quickly. The amplifier is assumed to have a much faster connection (i.e. T3) to accommodate the ping replies.[4]

The Target

The target is generally a specific server or small network. Upon receiving the ICMP replies, the target is no longer able to make its services available to its intended users since it is busy processing these ICMP messages. This creates a DoS and render the target inaccessible to other users.


Prevention

To prevent a router from being an amplifier, two simple configurations need to be implemented.

  • Routers and individual hosts should not respond to ping requests to broadcast addresses.
  • Routers should not forward packets directed to broadcast address.[5]

An example of how to configure a router so that packets are not forwarded to broadcast addresses would be:

no ip directed-broadcast

This configuration is for a Cisco router.[5]

Another router configuration is to filter ICMP requests by source addresses. By applying a filter which will reject any outgoing packets that contain a source address from a different network, you eliminate the spoofing element of a Smurf attack.[6]

It is important to note that these prevention techniques apply only to protecting a network form being an amplifier or the source of an attack. A similar procedure is required to prevent a Fraggle attack. If, however, the security mechanisms don't adequately enforce the security policy of the network, then these prevention techniques can easily be by-passed.

References

[1] Structuring

[2] The Lastest In Denial Of Service Attacks: "Smurfing"

[3] Information Warfare Going on the Offensive

[4] Attacked by smurf

[5] Smurf attack

[6] The Lastest In Denial Of Service Attacks: "Smurfing"

Also See

TCP/IP_Application_Development

The_Great_Firewall_of_China

Designing_a_Small_Business_Intranet

The_Five-Layer_TCP/IP_Model:_Description/Attacks/Defense

Social_engineering


External Links

smurf

IP Spoofing

Smurf Attack and Fraggle Attack

Possible DoS (fraggle) Problem

Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing


--Shahinrs 22:40, 13 April 2008 (EDT)

Personal tools