Yes, the Smurf attack sounds cute and harmless, but we can assure you it is not. Instead, it is yet another DDoS attack that is made to damage businesses and disrupts their workflows.
Smurf attack definition
The name Smurf comes from a popular Belgium comics and cartoon with the same name. There are many small blue characters in it who work together to bring down one big bad magician.
The Smurf DDoS attack is a protocol-based DDoS attack that uses the popular Internet Control Message Protocol (ICMP) to send ping packets of data with a spoofed IP address of the source, thanks to malicious software.
The packets are sent to a computer network using an IP broadcast address. The devices on that network will respond and send answers to the IP address. The fact that not only one computer but a whole network of computers respond to the victim’s IP address leads to a substantial amplification and potentially huge traffic towards the victim. So strong that it could severely slow down the victim’s computer and even bring it down for a while.
And you know, downtime means losses for the business.
How does a Smurf attack work?
- The malicious Smurf software spoofs the packets’ IP address and replaces it with the victim’s IP address. That way, all the traffic will go to it.
- The packets of data are sent to a broadcast IP address of a router. That way, the router will send the message to all the connected devices inside this broadcast network, and the attack will get amplified many times. So many times as there are devices that respond.
- Each of the devices will receive the packets of data. They will respond but to the spoofed IP address (the target’s IP address). So the traffic will go directly to the victim.
- The target starts to receive packets of data that it didn’t ask for. One after another, and if they are too many, the target starts to have problems processing them. Eventually, if the intensity does not go down, the target will be unable to process the pings and be overwhelmed.
What is the history of Smurf attacks?
Dan Moschuk (a.k.a. TFreak), a popular hacker at the time, created the original code for the malware in 1997. Dan was still an adolescent at the time. He sent the original software to some of his friends, and later the smurf.c crashed various IRC servers.
Because of the Smurf attack, network equipment producers started to change the settings of their devices and limit broadcasting to only inside the LAN.
Some years later, TFreak continued his work in malicious software and created a UDP version of the Smurf Attack and called it Fraggle.c.
Types of DDoS Smurf attack?
There are two main types of Smurf attack:
Basic Smurf attack
The Basic Smurf attack works, just as we explained to you, flooding a network with ping packets that have spoofed IP address of the victim. Then, all the devices on the network answer the packets and send the answers to the target, causing massive traffic that can bring down the system over time.
Advanced Smurf attack
It looks similar to the Basic Smurf attack but with a small difference. The Advanced can spoof the IP addresses of the packets in a way that it can send the response to more than one target. When the attackers have infected enough networks, they can use this amplified traffic to multiple victims to cause more damage.
How to mitigate Smurf DDoS attack?
There are 3 things that you can do to mitigate a Smurf Attack:
Use DDoS protection
Having a large network of servers means your servers can resist stronger traffic. When you combine it with an intelligent traffic monitor that can find the malicious traffic and a network of scrubbing centers, you will have excellent protection against this type of DDoS attack.
If you want to learn more about DDoS protection, you can read this article: “DDoS attacks and how to protect ourselves”.
Forbid the ICMP traffic
You can use your firewall and stop the ICMP traffic completely. This will make it impossible to suffer a Smurf Attack or any other DDoS attack based on the ICMP. The problem is that you won’t be able to use a ping command for diagnostic. This could be problematic for administrators who need to check if all of the devices on a network or remote servers are connected and working, so this might not be an option for most people.
Stop packets with a broadcast IP address
You can also set up all your hosts and routing devices to ignore packets that have a broadcast IP address. That way, even if a modified Smurf attack packet gets to your network, it won’t be allowed. If you don’t need to broadcast any other messages, this could be an option. Still, it will limit your configuration, and you might need this feature.
Smurf Attack Transmission and Effects
The Smurf Attack can start from a Trojan horse or malware. It can be downloaded by somebody on the network and executed, or it can be in the form of an application. It is important to educate your staff about the dangers of phishing attacks that can lead to such problems.
The smurf will remain hidden, on the infected host, for a long time until the attack needs it. Then he or she will activate it, and the process of generation of ICMP packets with a spoofed IP address will start. They will be targeted at the victim, and the DDoS attack will start.
Staying safe online is getting harder every day. But you and your business can still be protected. By learning about threats like the Smurf Attack and other DDoS attacks, you can understand how to stay safe. Use DDoS protection, and don’t let bad actors negatively influence the work of your servers.