What is a DDoS Smurf Attack?

Introduction

You’ve probably heard about pranks where a caller places orders at multiple pizza delivery outlets and then provides the address of an unsuspecting victim who receives an overwhelming number of pizzas. That’s the idea behind a DDoS smurf attack, only the calls are network messages and it’s an overwhelming amount of network communication that takes the victim by surprise. Unfortunately, that surprise isn’t nearly as benign.

In this blog, we’ll take an in-depth look at DDoS smurf attacks, including their history, how they work, the different types of smurf attacks, and their impact. We’ll also explain how you can protect against smurf attacks and prevent threat actors from using the technique to compromise service availability.

What is a smurf attack?

A smurf attack is a type of DDoS attack that occurs at the application layer (layer 7) of the OSI model, exploiting vulnerabilities in the protocols used for communication between servers. The attack gets its name from the smurf cartoon characters that work together to bring down larger enemies. Similarly, smurf attacks flood the network with a barrage of small requests that ultimately consume server resources to such an extent that these attacks degrade service and can completely bring down a network. Once the network is disabled and defenses are neutralized, the attacker can cause even more damage, including data exfiltration.

History of smurfing

Smurf attacks emerged in the 1990s and were created by Don Moschuk, a hacker also known as TFreak. Not surprisingly, the ransomware used to launch these attacks is called DDoS Smurf malware, hence the broadening of the name to refer to the attack itself. The first known smurf attack example happened in 1998 against the University of Minnesota and also affected a regional internet service provider, slowing connections throughout the state and in some cases shutting down computers entirely and contributing to data loss.   

Soon after, smurf DDoS attacks took down sites like eBay and Amazon, making the headlines and prompting Community Emergency Response Team (CERT) to issue advisories warning and educating organizations on the dangers of these attacks.

How do smurf attacks work?

Smurf attacks start with Internet Control Message Protocol (ICMP) echo request. So, you need to understand what that is in order to understand how a smurf attack works.

ICMP is a protocol used for communication between network devices. And an ICMP echo request is used to test the network and diagnose communication problems. The request is sent out to devices to make sure that data is being communicated. The device that receives the request sends a reply to confirm that communication is working.

A smurf attack hijacks this process to overwhelm the network with traffic by initiating a flurry of ICMP messages.

There are four main stages in a smurf attack:

1. The attacker identifies a target and determines their IP address.
2. Using DDoS.Smurf malware, the attacker fakes, or spoofs, the victim’s IP address and sends a large number of ICMP echo requests from that spoofed IP address to a broadcast address that relays the message to every device on the network.
3. As each recipient sends an ICMP echo reply back to the broadcast address, the replies are routed to the victim.
4. The network becomes flooded with traffic, slows down, and can become completely disabled so that legitimate traffic can’t get through.

Understanding amplification factor

The impact of a smurf DDoS attack is amplified based on the number of hosts on the network that receive the ICMP echo request.

For example:

• If the network has 75 hosts, each ICMP echo reply sent back to the victim will amplify the traffic by a factor of 75X.
• If the network has 1,000 hosts, a single ICMP echo request is amplified by a factor of 1,000.

This makes smurf attacks quite impactful because even though they consume very little bandwidth, they can takedown large networks extremely effectively.

Types of smurf attacks

Smurf attacks can vary in their execution and impact, depending on whether they are basic or advanced.

1. Basic smurf attacks. Thus far, we’ve been talking about basic smurf attacks, where the attacker floods the target network with traffic by launching an infinite number of ICMP echo requests to the network’s broadcast address from a spoofed IP address. The replies generate a massive amount of traffic that disrupt the network.
2. Advanced smurf attacks. Building on a basic smurf attack, an advanced smurf attack configures echo requests so that the echo responses go back to additional victims. This spreads the impact of the attack across multiple targets simultaneously to bring down groups of victims or more extensive networks all at once.

What is the impact of smurf attacks on businesses?

Smurf attacks aren’t among the most common attacks these days because there are many ways to prevent them. However, it is possible to accidentally download DDoS.Smurf malware from an infected website or through a malicious link in a phishing email. The program will remain dormant until the threat actor activates it remotely through a rootkit that comes bundled with the software.

When successful, a smurf attack can have a significant impact on your business.

• Smurf attacks can impact service availability – shutting down the network and servers for days which can translate into a loss in productivity, customers, and revenue.
• Smurf attacks can be the first step in a data breach – taking advantage of the network being down to gain access to confidential data and systems which leads to additional financial and reputational damage.

How to protect against smurf attacks

You can avoid smurf attacks by disabling IP broadcast capabilities across all your network routers or configuring your routers to not forward or respond to ICMP echo requests. Newer routers often come with these configurations in place by default.

However, smurf attacks persist today despite these improved internet infrastructure configurations that have mitigated their effectiveness.

To defend against smurf attacks, organizations can use a combination of best practices and technology, including:

• Maintain good cyber hygiene. Educate employees on how to avoid falling victim to phishing attacks including by not clicking on links or attachments as DDoS.Smurf malware may be lurking.
• Disallow ICMP traffic. If you’re seeing unusual traffic spikes to your website, a slowdown in response times, unexpected service disruptions or complete outages, a DDoS smurf attack may be the culprit. You can block inbound ICMP traffic while you investigate.
• Rate limit traffic. Where possible, rate limit inbound ICMP traffic and block outbound ICMP traffic.
• Add firewall rules. You can add specific firewall policies to block activity that could indicate a smurf attack attempts.
• Use a DDoS protection platform. The most comprehensive way to mitigate DDoS attacks, including smurf attacks, is with DDoS protection. The best solutions will allow you to maintain uninterrupted service availability even in the midst of a DDoS attack and protect you against follow-on threats including data leakage, ransom attacks, and other threats to your operations.

Conclusion

Smurf attacks have been around for decades causing service disruptions that have interrupted operations for businesses, universities, and internet service providers, among others, and can also lead to data breaches. The amplification factor makes smurf attacks a small but mighty force to deal with. Requiring very little bandwidth to execute, the impact of an attack can spread across multiple targets simultaneously, bringing down groups of victims or more extensive networks all at once.

Fortunately, changing router configurations and upgrading to newer routers with default settings in place to limit the use of ICMP and broadcast capabilities have made smurf attacks less common. However, smurf attacks persist and are a type of attack organizations need to be aware of and understand how to protect against.

To defend against smurf attacks, organizations can use a combination of best practices and technology, including upgrading to newer routers that have defensive configurations, maintaining good cyber hygiene, rate limiting and filtering ICMP traffic, adding firewall rules, and using a DDoS protection solution.

DDoS protection provides uninterrupted service availability even in the midst of a DDoS attack and can protect you from smurf attacks as well as other types of DDoS attacks and the follow-on malicious activity that can also threaten your operations. Speak with a specialist to learn more.