fbpx
A Smurf Attack is a DDoS form that makes computer networks inoperable by exploiting IP (Internet Protocol) and ICMP (Internet Control Message Protocols) vulnerabilities.
 
The first Smurf Attack goes back to the 1990s, when the University of Minnesota was targeted in 1998. The Minnesota Smurf Attack lasted more than an hour and “set off a chain reaction throughout the state, shutting down some computers entirely and in other cases causing data loss and network slowdowns.”
 
 

There are two types of Smurf Attack:

A. BASIC
In the Basic Smurf Attack, the seemingly endless ICMP request packages include a source address set to the broadcast address of the target’s network. If these packets disperse properly, there will be an echo from every single device on the network, which will create the overwhelming traffic that usually gets systems down.
 
B. ADVANCED
 
In the case of Advanced Smurf Attacks, the echo answers to the ICMP requests can configure their sources so that they respond to third party victims. In this way, hackers can reach various, bigger targets at once.

A Smurf Attack consists of 5 stages:

1. Firstly, a fake Echo request containing a spoofed source IP is generated through the Smurf malware. The spoofed IP is actually the target server address.
2. Secondly, an intermediate IP broadcast network is used to send the request.
3. Afterwards, the request is transmitted to every network host on the network.
4. During the penultimate stage of a Smurf Attack, each host sends an ICMP response to the spoofed source address.
5. In the last stage, the target server is brought down if there are large number of ICMP responses forwarded.
 
“Smurf Attack uses bandwidth consumption to disable a victim system’s network resources. It accomplishes the consumption using amplification of the attacker’s bandwidth. If the amplifying network has 100 machines, the signal can be amplified 100 times, so the attacker with relatively low bandwidth (such as the 56K modem) can flood and disable a victim system with much higher bandwidth (such as the T1 connection). “
 

HOW TO PROTECT YOURSELF FROM SMURF ATTACKS?

A Smurf Attack implies 3 players: the hacker, the intermediary / the amplifier, the victim. In order for the attack to start, the intermediary has to let a source-spoofed IP packet leave its network. Therefore, prevention has to be done on two levels: you must avoid being attacked and you must avoid being used to launch an attack.
 
A. Avoid Being The Amplifier:
You should disable IP-directed broadcast on the router – this will make it deny the broadcast traffic to the internal network from other networks. You can also try to apply an outbound filter to your perimeter router, as well as configuring hosts and routers not to respond to ICMP echo requests.
 
B. Avoid Being The Victim:
You should do many things here.
 
1. You have a prevention strategy based on traffic network monitoring that can detect any oddments – like packet volume, behaviour and signature. This could help you stop a Smurf Attack before it even begins.
2. You make sure you protect your servers with network firewalls or specialized web application firewalls.
3. You buy more bandwidth. You should have enough bandwidth to handle traffic spikes that might be the result of malicious activity.
4. You build redundancy. Your servers should spread across multiple data centres and have a good load balancing system for traffic distribution. The data centres should be, if possible, in different regions of the same country or even in different countries and should be connected to different networks.
5. You must protect your DNS servers. Besides building redundancy, you could also try to move to a cloud-based DNS provider, whose services are specifically designed with DDoS prevention in mind.
 
 

This Article Was Written & published by Meena R,  Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India. 

Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...

She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms. 

34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook. 

If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:

Click Here to follow her: Cybersecurity PRISM