A smurf attack is a form of a DDoS attack that causes packet flood on the victim by exploiting/abusing ICMP protocol. When deployed, large packets are created using a technique called “spoofing”. The phony source address that is now attached to these packets becomes the victim, as their IP is flooded with traffic. The intended result is to slow down the target’s system to the point that it is inoperable, and vulnerable.The Smurf DDoS Attack took it’s name from exploit tool called Smurf widely used back in 1990s. The small ICMP packet generated by the tool causes big trouble for a victim, hence the name Smurf.
Smurf attacks are an old technique, but remain relevant due to the popularity of deployment and necessary preemptive prevention tactics. Below, we take a look at the ins and outs of the smurf attack.
Smurf attacks originate from the attacker's computer. To begin, they target a router that interacts with a high number of devices. The attacker then deploys large ICMP requests to the router, causing the connected devices to respond to the ping. The spoofed IP address that is attached to these packets is forced to absorb the echoes, a result of connected devices responding to the ping.
Essentially, any device connected to this router that is trained to respond to the ping will be unable to recognize the spoofed IP addresses. As a result, the original request is amplified, and the victim's server will be crippled.
A basic smurf attack occurs when a victim's network finds itself in the midst of an ICMP request packet flood. The packets feature a source address that is set to the broadcast address of the intended target's network. If the packets disperse correctly, every device that connects to the targeted network would then reply to the ICMP request with an echo, resulting in a lot of traffic and possibly bringing the system down.
These start very similarly to a basic attack. The difference is that the echo request configured its source to respond to a third-party victim. This third-party victim will then receive the echo request that originates from the targeted subnet. Hackers find advanced smurf attacks to be beneficial because they can base their attack on a network that maintains stable, reliable links to the internet. As a result, hackers gain access to the systems that are connected to their original target, slowing down a larger subset of the web than what would have been possible had they limited their scope to one victim.
Smurf attacks will continue to be a threat, as they always have been. Advances in DDoS attack protection allow for network edge appliances to intercept incoming requests to filter out bad traffic from the good. Deploying inline or scrubbing DDoS mitigation technology can significantly lessen the impact on your network, business, and customers.
Outside of the benefits that advanced DDoS mitigations bring, you can protect yourself from a smurf attack by blocking directed broadcast traffic that is coming into the network. Ingress filtering can be used to examine all packets that are moving inbound. They will be denied or allowed entry to the system based on the legitimacy of their packet header.
The Corero SmartWall® Threat Defense System (TDS) has various protections against smurf attacks, including integrity analysis and built-in connection/rate limits. The Corero Security Operations Team (SOC) also has in-depth experience in dealing with smurf attacks and can enable additional mitigation functions for customers not already taking advantage of the SecureWatch® Managed Service offering.
Contact us to learn how to defend against volumetric attacks.