Cyber attacks are to be taken seriously. Even cute names can hide deadly poison. Today, let’s be aware of the smurf attack.
What is a Smurf attack?
A Smurf attack is a type of distributed denial of service (DDoS) attack. It took its name from the malware used to implement it, the Smurf malware. It targets computer networks to make them unavailable by exploiting vulnerabilities of the Internet Control Message Protocol (ICMP).
A Smurf attack floods a server with the use of ICMP data packets. Too many queries are sent with a forged IP address (the victim’s one) to one or multiple devices. When those devices respond to the server, the traffic attack gets amplified, and the victim falls down.
Which ICMP vulnerability does the Smurf attack exploit?
The ICMP allows devices of a network to detect communication problems. It diagnoses and reports bugs through messages (data packets) sent from the recipient to the source (sender) in case data don’t arrive properly.
The Ping command is commonly used to test hardware connected to the network (routers, computers, printers, etc.). And Ping works through ICMP. With a ping, you can know if a hardware is reachable. A message is sent (echo request) to a specific device, and then an acknowledgment is received (echo reply). Ping also allows measuring the time that takes for a message to travel from a source to its destination and back.
The issue is, ICMP doesn’t handshake as a part of its process. Therefore, hardware can’t check if the requests they receive are legit.
How does Smurf malware works?
Smurf malware produces a network data packet with a spoofed source IP address. The data packet travels as an ICMP ping message that will order the devices on the network’s nodes to send an answer. This cycle will be repeated using constant requests. Through ICMP echoes, a non-stop loop will be produced to overwhelm the target.
How does a Smurf attack work?
A Smurf attack starts with the activation of Smurf malware to create the echo request that will have a spoofed IP address changed to the victim’s one.
The request is sent, and then an intermediate IP broadcast from the network will transmit it to every host on the network.
Since inside the data packet there’s an ICMP ping message, it will request every node in its way an acknowledgment (answer). The more ICMP requests are sent, the more ICMP answers will be received.
Consider that the number of hosts on the intermediate network (IP broadcast) defines the scale of the attack’s amplification. One thousand hosts in such a network will generate one thousand answers for every spoofed echo request.
How to prevent or mitigate a Smurf attack?
- Pay attention to indicators like bandwidth trouble, crashing of server or router. A Smurf attack could be right on the corner.
- Monitor exhaustively your traffic for inspecting uncommon volume, behavior, signature on data packets.
- Get sufficient bandwidth to handle traffic spikes.
- Look for redundancy and an efficient load balancing system to distribute traffic.
- Protect your DNS servers against DDoS.
- Disable IP addresses broadcast on networks’ routers and firewalls.
- Block-directed broadcast traffic trying to access the network.
- Set up routers and hosts not to answer ICMP echo requests.
- Set up your operating system to forbid IP broadcast requests (ICMP).
- Set up your firewall’s perimeter to block pings incoming from outside the network.
A Smurf attack belongs to the most dangerous category of threats, DDoS attacks. Have a strategy for keeping your network safe. Don’t leave it for tomorrow!