||This article may be confusing or unclear to readers. (March 2013)|
The Smurf Attack is a denial-of-service attack in which large numbers of ICMP packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP Broadcast address. This causes all hosts on the network to reply to the ICMP request, causing significant traffic to the victim's computer.
If the routing device delivering traffic to those broadcast addresses delivers the IP broadcast to all hosts (for example via a layer 2 broadcast), most hosts on that IP network will take the ICMP request and reply to it, multiplying the traffic by the number of hosts responding. On a multi-access broadcast network, hundreds of machines might reply to each packet. According to CERT-CC, the name Smurf comes from name of one of the exploit programs used to execute the attack.
In the late 1990s, many IP networks would participate in Smurf attacks if prompted (that is, they would respond to ICMP requests sent to broadcast addresses). Today, thanks largely to the ease with which administrators can make a network immune to such abuse, very few networks remain vulnerable to Smurf attacks.
The fix is two-fold:
- Configure individual hosts and routers not to respond to ICMP requests or broadcasts.
- Configure routers not to forward packets directed to broadcast addresses. Until 1999, standards required routers to forward such packets by default, but, in that year, the standard was changed to require the default to be not to forward.
Mitigation on a Cisco Router
An example of configuring a router not to forward packets to broadcast addresses, for a Cisco router, is:
Router(config-if)# no ip directed-broadcast
(This example does not prevent a network from becoming the target of Smurf attack; it merely prevents the network from taking part in a Smurf attack.)
A Smurf amplifier is a computer network that lends itself to being used in a Smurf attack. Smurf amplifiers act to worsen the severity of a Smurf attack because they are configured in such a way that they generate a large number of ICMP replies to the victim at the spoofed source IP address.
- "CERT Advisory CA-1998-01 Smurf IP Denial-of-Service Attacks".
- For example, netscan.org (Web Archive) showed 122,945 broken networks as of Jan 25, 1999, but only 2,417 as of Jan 06, 2005.
- D. Senie, "Changing the Default for Directed Broadcasts in Routers", RFC 2644, BCP 34
- P. Ferguson and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", RFC 2827, BCP 38