Subscribe by Email

Monday, November 25, 2013

Security - What is meant by smurf attack?

A type of denial-of-service attack is the smurf attack. This attack involves broadcasting a large number of ICMP (internet control message protocol) packets to a computer network with the spoofed IP address of the victim through an IP broadcast address. Most of the devices online on that network respond to this broadcast by replying to the IP address of the source. Now, since the number of devices connected to the network and replying to this broadcast is very large, the system of the victim will get flooded with incoming traffic. This results in a slow down of the victim’s system and it becomes impossible to work on it. The attack was named after the name of the program’s source code called the ‘smurf.c’ which was released by TFreak in the year of 1997. At that time a lot of IP networks were vulnerable to this attack. But today most networks are immune to such attacks and very few are still vulnerable to it.
Now let us talk about the mitigation of these attacks. It can be fixed in two steps as mentioned below:
- The individual routers and hosts should be configured so that they do not respond to such broadcasts and the ICMP requests.
- Routers should be configured to not forward the packets to the destination address. The 1999 standards configured the routers for default forwarding of such packets. In the same year, these standards were changed.

Another solution to this problem is the network ingress filtering. This sort of filtering is implemented for rejecting those ICMP packets based up on the source address that has been forged. An example of router configuration that won’t allow packet forwarding in cisco routers is:
Router (config – if) # no ip directed – broadcast

Even though this example prevents a network from participating in the smurf attack, it does not prevent it from becoming its target. There are computer networks that lend themselves to be used in the attacks. Such networks are termed as the smurf amplifiers. They tend to worsen the smurf attack since their configuration is such that a lot of replies to the ICMP addresses will be generated from them at the spoofed IP address or the victim computer.

A variation of the smurf attack is the ‘fraggle attack’. In this attack a large UDP traffic along with the victim’s IP address is sent to an IP broadcast address by the attack at ports 7 and 19 i.e., echo and chargen respectively. The way of working of this attack is quite similar to the original smurf attack. All the devices on the network will send the traffic to the victim address causing the same kind of flooding as in the case of smurf attacks. The source code for this attack was also released by TFreak called the fraggle.c.
Smurf attacks are a way of exploiting the IP broadcast addressing for creating a denial – of – service attack. The affected networks becomes inoperable. ICMP is usually used by network administrators for exchanging info about the network state. During the attack, these messages are used to ping the devices on the network to see if they are in a functional state. If a device is functional it returns a response to this message. When there are a large number of pings as well as replies to them, a large traffic is created which renders the network unusable. Since the IP broadcast addressing is seldom used it can be disabled at the network routers. This is a suggestion given by CERT for coping with the problem of smurf attacks. 

No comments:

Facebook activity