Now let us talk about the mitigation of these attacks. It can be fixed in two steps as mentioned below:
- The individual routers and hosts should be configured so that they do not respond to such broadcasts and the ICMP requests.
- Routers should be configured to not forward the packets to the destination address. The 1999 standards configured the routers for default forwarding of such packets. In the same year, these standards were changed.
Another solution to this problem is the network ingress filtering. This sort of filtering is implemented for rejecting those ICMP packets based up on the source address that has been forged. An example of router configuration that won’t allow packet forwarding in cisco routers is:
Router (config – if) # no ip directed – broadcast
Even though this example prevents a network from participating in the smurf attack, it does not prevent it from becoming its target. There are computer networks that lend themselves to be used in the attacks. Such networks are termed as the smurf amplifiers. They tend to worsen the smurf attack since their configuration is such that a lot of replies to the ICMP addresses will be generated from them at the spoofed IP address or the victim computer.
A variation of the smurf attack is the ‘fraggle attack’. In this attack a large UDP traffic along with the victim’s IP address is sent to an IP broadcast address by the attack at ports 7 and 19 i.e., echo and chargen respectively. The way of working of this attack is quite similar to the original smurf attack. All the devices on the network will send the traffic to the victim address causing the same kind of flooding as in the case of smurf attacks. The source code for this attack was also released by TFreak called the fraggle.c.
Smurf attacks are a way of exploiting the IP broadcast addressing for creating a denial – of – service attack. The affected networks becomes inoperable. ICMP is usually used by network administrators for exchanging info about the network state. During the attack, these messages are used to ping the devices on the network to see if they are in a functional state. If a device is functional it returns a response to this message. When there are a large number of pings as well as replies to them, a large traffic is created which renders the network unusable. Since the IP broadcast addressing is seldom used it can be disabled at the network routers. This is a suggestion given by CERT for coping with the problem of smurf attacks.