Smurf attack

From Wikipedia, the free encyclopedia

The Smurf Attack is a denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP Broadcast address. Most devices on a network will, by default, respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, flooding the victim's computer with traffic. This can slow down the victim's computer to the point where it becomes impossible to work on.

The name Smurf comes from the file "smurf.c", the source code of the attack program, which was released in 1997 by TFreak.[1]

History

In the late 1990s, many IP networks participated in Smurf attacks only if prompted (that is, they would respond to ICMP requests sent to broadcast addresses). Today, administrators can make a network immune to such abuse, therefore very few networks remain vulnerable to Smurf attacks.[2]

Mitigation

The fix is two-fold:

  1. Configure individual hosts and routers to not respond to ICMP requests or broadcasts; or
  2. Configure routers to not forward packets directed to broadcast addresses. Until 1999, standards required routers to forward such packets by default. Since then, the default standard was changed to not forward such packets.[3]

Another proposed solution is network ingress filtering, which rejects the attacking packets on the basis of the forged source address.[4]

Mitigation on a Cisco Router

An example of configuring a router so it will not forward packets to broadcast addresses, for a Cisco router, is:

Router(config-if)# no ip directed-broadcast

(This example does not prevent a network from becoming the target of Smurf attack; it merely prevents the network from taking part in a Smurf attack.)

A Smurf amplifier is a computer network that lends itself to being used in a Smurf attack. Smurf amplifiers act to worsen the severity of a Smurf attack because they are configured in such a way that they generate a large number of ICMP replies to the victim at the spoofed source IP address.

Fraggle Attack

A fraggle attack is a variation of a Smurf attack where an attacker sends a large amount of UDP traffic to ports 7 (echo) and 19 (chargen) to an IP Broadcast Address, with the intended victim's spoofed source IP address. It works very similarly to the Smurf attack in that many computers on the network will respond to this traffic by sending traffic back to the spoofed source IP of the victim, flooding it with traffic.

"Fraggle.c", the source code of the attack, was also released by TFreak.[5]

See also

References

  1. "Phreak.org exploits archive: smurf.c". 
  2. For example, netscan.org (Web Archive) showed 122,945 broken networks as of Jan 25, 1999, but only 2,417 as of Jan 06, 2005.
  3. D. Senie, "Changing the Default for Directed Broadcasts in Routers", RFC 2644, BCP 34
  4. P. Ferguson and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", RFC 2827, BCP 38
  5. "Phreak.org exploits archive: fraggle.c". 

External links

This article is issued from Wikipedia. The text is available under the Creative Commons Attribution/Share Alike; additional terms may apply for the media files.