Smurf attack

Last updated

A Smurf attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP broadcast address. [1] Most devices on a network will, by default, respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, the victim's computer will be flooded with traffic. This can slow down the victim's computer to the point where it becomes impossible to work on.

Contents

History

The original tool for creating a Smurf attack was written by Dan Moschuk (alias TFreak) in 1997. [2] [3]

In the late 1990s, many IP networks would participate in Smurf attacks if prompted (that is, they would respond to ICMP requests sent to broadcast addresses). The name comes from the idea of very small, but numerous attackers overwhelming a much larger opponent (see Smurfs). Today, administrators can make a network immune to such abuse; therefore, very few networks remain vulnerable to Smurf attacks. [4]

Method

A Smurf amplifier is a computer network that lends itself to being used in a Smurf attack. Smurf amplifiers act to worsen the severity of a Smurf attack because they are configured in such a way that they generate a large number of ICMP replies to the victim at the spoofed source IP address.

In DDoS, amplification is the degree of bandwidth enhancement that an original attack traffic undergoes (with the help of Smurf amplifiers) during its transmission towards the victim computer. An amplification factor of 100, for example, means that an attacker could manage to create 100 Mb/s of traffic using just 1 Mb/s of its own bandwidth. [5]

Under the assumption no countermeasures are taken to dampen the effect of a Smurf attack, this is what happens in the target network with n active hosts (that will respond to ICMP echo requests). The ICMP echo request packets have a spoofed source address (the Smurfs' target) and a destination address (the patsy; the apparent source of the attack). Both addresses can take two forms: unicast and broadcast.

The dual unicast form is comparable with a regular ping: an ICMP echo request is sent to the patsy (a single host), which sends a single ICMP echo reply (a Smurf) back to the target (the single host in the source address). This type of attack has an amplification factor of 1, which means: just a single Smurf per ping.

When the target is a unicast address and the destination is the broadcast address of the target's network, then all hosts in the network will receive an echo request. In return they will each reply to the target, so the target is swamped with n Smurfs. Amplification factor = n. If n is small, a host may be hindered but not crippled. If n is large, a host may come to a halt.

If the target is the broadcast address and the patsy a unicast address, each host in the network will receive a single Smurf per ping, so an amplification factor of 1 per host, but a factor of n for the network. Generally, a network would be able to cope with this form of the attack, if n is not too great.

When both the source and destination address in the original packet are set to the broadcast address of the target network, things start to get out of hand quickly. All hosts receive an echo request, but all replies to that are broadcast again to all hosts. Each host will receive an initial ping, broadcast the reply and get a reply from all n-1 hosts. An amplification factor of n for a single host, but an amplification factor of n2 for the network.

ICMP echo requests are typically sent once a second. The reply should contain the contents of the request; a few bytes, normally. A single (double broadcast) ping to a network with 100 hosts causes the network to process 10000 packets. If the payload of the ping is increased to 15000 bytes (or 10 full packets in Ethernet) then that ping will cause the network to have to process 100000 large packets per second. Send more packets per second, and any network would collapse under the load. This will render any host in the network unreachable for as long as the attack lasts.

Effect

A Smurf attack can overwhelm servers and networks. The bandwidth of the communication network can be exhausted resulting in the communication network becoming paralyzed. [6]

Mitigation

The fix is two-fold:

  1. Configure hosts and routers to ignore packets where the destination address is a broadcast address; and
  2. Configure routers to not forward packets directed to broadcast addresses. Until 1999, standards required routers to forward such packets by default. Since then, the default standard was changed to not forward such packets. [7]

It's also important for ISPs to implement ingress filtering, which rejects the attacking packets on the basis of the forged source address. [8]

Mitigation on a Cisco router

An example of configuring a router so it will not forward packets to broadcast addresses, for a Cisco router, is:

Router(config-if)# no ip directed-broadcast [9]

(This example does not protect a network from becoming the target of a Smurf attack; it merely prevents the network from participating in a Smurf attack.)

Fraggle attack

A Fraggle attack (named for the creatures in the puppet TV series Fraggle Rock ) is a variation of a Smurf attack where an attacker sends a large amount of UDP traffic to ports 7 (Echo) and 19 (CHARGEN). It works similarly to the Smurf attack in that many computers on the network will respond to this traffic by sending traffic back to the spoofed source IP of the victim, flooding it with traffic. [10]

Fraggle.c, the source code of the attack, was also released by TFreak. [11]

See also

Related Research Articles

The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information indicating success or failure when communicating with another IP address. For example, an error is indicated when a requested service is not available or that a host or router could not be reached. ICMP differs from transport protocols such as TCP and UDP in that it is not typically used to exchange data between systems, nor is it regularly employed by end-user network applications.

ping (networking utility) Network utility used to test the reachability of a host

ping is a computer network administration software utility used to test the reachability of a host on an Internet Protocol (IP) network. It is available for virtually all operating systems that have networking capability, including most embedded network administration software.

In computing, traceroute and tracert are diagnostic command-line interface commands for displaying possible routes (paths) and transit delays of packets across an Internet Protocol (IP) network.

<span class="mw-page-title-main">Denial-of-service attack</span> Type of cyber-attack

In computing, a denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled. The range of attacks varies widely, spanning from inundating a server with millions of requests to slow its performance, overwhelming a server with a substantial amount of invalid data, to submitting requests with an illegitimate IP address.

<span class="mw-page-title-main">IP address spoofing</span> Creating IP packets using a false IP address

In computer networking, IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a false source IP address, for the purpose of impersonating another computing system.

The Address Resolution Protocol (ARP) is a communication protocol used for discovering the link layer address, such as a MAC address, associated with a given internet layer address, typically an IPv4 address. This mapping is a critical function in the Internet protocol suite. ARP was defined in 1982 by RFC 826, which is Internet Standard STD 37.

<span class="mw-page-title-main">SYN flood</span> Denial-of-service attack

A SYN flood is a form of denial-of-service attack on data communications in which an attacker rapidly initiates a connection to a server without finalizing the connection. The server has to spend resources waiting for half-opened connections, which can consume enough resources to make the system unresponsive to legitimate traffic.

The Internet Group Management Protocol (IGMP) is a communications protocol used by hosts and adjacent routers on IPv4 networks to establish multicast group memberships. IGMP is an integral part of IP multicast and allows the network to direct multicast transmissions only to hosts that have requested them.

<span class="mw-page-title-main">ARP spoofing</span> Cyberattack which associates the attackers MAC address with the IP address of another host

In computer networking, ARP spoofing is a technique by which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network. Generally, the aim is to associate the attacker's MAC address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead.

Distributed denial-of-service attacks on root nameservers are Internet events in which distributed denial-of-service attacks target one or more of the thirteen Domain Name System root nameserver clusters. The root nameservers are critical infrastructure components of the Internet, mapping domain names to IP addresses and other resource record (RR) data.

A ping of death is a type of attack on a computer system that involves sending a malformed or otherwise malicious ping to a computer. In this attack, a host sends hundreds of ping requests with a packet size that is large or illegal to another host to try to take it offline or to keep it preoccupied responding with ICMP Echo replies.

A ping flood is a simple denial-of-service attack where the attacker overwhelms the victim with ICMP "echo request" (ping) packets. This is most effective by using the flood option of ping which sends ICMP packets as fast as possible without waiting for replies. Most implementations of ping require the user to be privileged in order to specify the flood option. It is most successful if the attacker has more bandwidth than the victim. The attacker hopes that the victim will respond with ICMP "echo reply" packets, thus consuming both outgoing bandwidth as well as incoming bandwidth. If the target system is slow enough, it is possible to consume enough of its CPU cycles for a user to notice a significant slowdown.

<span class="mw-page-title-main">Broadcasting (networking)</span> Network messaging to multiple recipients simultaneously

In computer networking, telecommunication and information theory, broadcasting is a method of transferring a message to all recipients simultaneously. Broadcasting can be performed as a high-level operation in a program, for example, broadcasting in Message Passing Interface, or it may be a low-level networking operation, for example broadcasting on Ethernet.

In computer networking, ingress filtering is a technique used to ensure that incoming packets are actually from the networks from which they claim to originate. This can be used as a countermeasure against various spoofing attacks where the attacker's packets contain fake IP addresses. Spoofing is often used in denial-of-service attacks, and mitigating these is a primary application of ingress filtering.

A UDP flood attack is a volumetric denial-of-service (DoS) attack using the User Datagram Protocol (UDP), a sessionless/connectionless computer networking protocol.

arping is a computer software tool for discovering and probing hosts on a computer network. Arping probes hosts on the examined network link by sending link layer frames using the Address Resolution Protocol (ARP) request method addressed to a host identified by its MAC address of the network interface. The utility program may use ARP to resolve an IP address provided by the user.

In networking, a black hole refers to a place in the network where incoming or outgoing traffic is silently discarded, without informing the source that the data did not reach its intended recipient.

An ICMP tunnel establishes a covert connection between two remote computers, using ICMP echo requests and reply packets. An example of this technique is tunneling complete TCP traffic over ping requests and replies.

A broadcast storm or broadcast radiation is the accumulation of broadcast and multicast traffic on a computer network. Extreme amounts of broadcast traffic constitute a broadcast storm. It can consume sufficient network resources so as to render the network unable to transport normal traffic. A packet that induces such a storm is occasionally nicknamed a Chernobyl packet.

The BlackNurse attack is a form of denial of service attack based on ICMP flooding. The attack is special because a modest bandwidth of 20 Mbit/s can be effective for disrupting a victim's network.

References

  1. Sun, Fei Xian (2011). "Danger Theory Based Risk Evaluation Model for Smurf Attacks". Key Engineering Materials. 467–469: 515–521. doi:10.4028/www.scientific.net/KEM.467-469.515. ISSN   1662-9795. S2CID   110045205.
  2. "Tfreak". Hackepedia. 2013-03-28. Retrieved 2019-11-13.
  3. Pramatarov, Martin (2021-09-09). "What is a Smurf DDoS attack?". ClouDNS Blog. Retrieved 2022-09-15.
  4. For example, netscan.org (Web Archive) showed 122,945 broken networks as of Jan 25, 1999, but only 2,417 as of Jan 06, 2005.
  5. S. Kumar (5 July 2007). Kumar, Sanjeev (2007). "Smurf-based Distributed Denial of Service (DDoS) Attack Amplification in Internet". Second International Conference on Internet Monitoring and Protection (ICIMP 2007). p. 25. doi:10.1109/ICIMP.2007.42. ISBN   978-0-7695-2911-0. S2CID   14876546 . Retrieved 2020-12-30.{{cite book}}: |website= ignored (help)
  6. Hartanto, Sri (2023-07-30). "The Impact of Smurf Attack on Web Server in Communication Network and its Preventions". International Journal of Sustainable Applied Sciences (IJSAS). 1 (1). Sri Hartanto: 35–46. ISSN   3025-5597.
  7. D. Senie (August 1999). Changing the Default for Directed Broadcasts in Routers. Network Working Group. doi: 10.17487/RFC2644 . BCP 34. RFC 2644.Best Common Practice. Updates RFC  1812.
  8. Ferguson, P.; Senie, D. (May 2000). Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. IETF. doi: 10.17487/RFC2827 . BCP 38. RFC 2827.Best Common Practice.
  9. "A Cisco Guide to Defending Against Distributed Denial of Service Attacks". Cisco. Retrieved 2019-09-26.
  10. Hendric, William (23 March 2016). "Fraggle attack".
  11. Anonymous (2003). Maximum Security. Sams Publishing. ISBN   978-0-672-32459-8.