Wednesday, February 1, 2012

DoS, Smurf, and Fraggle Attacks

Denial of service (DoS) attacks such as smurf and fraggle attacks are important to understand when studying for any security certification including Security+, SSCP, or CISSP. Smurf and fraggle attacks are similar but they have subtle differences.

DoS Attack

A DoS attack comes from a single entity and is intended to make a computer’s resources or services unavailable to users. DoS attacks against a server prevent the server from responding to legitimate requests from users. A distributed DoS (DDoS) attack comes from multiple attackers at the same time.

Pass the Security+ exam the first time you take it.
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide

Smurf Attack

A smurf attack uses Internet Control Management Protocol (ICMP) to send a broadcast ping with a spoofed source address. It's easier to understand this by looking at one step at a time.
  • Normal ping. A regular ping sends one or more ICMP echo requests to a system and the system responds with one or more ICMP echo replies. This provides verification the remote system is operational. A regular ping uses unicast. In other words, the ICMP packet is addressed to one system from one system.
  • Broadcast ping. A broadcast ping is not normal. It sends the ICMP echo request to a broadcast address sending it to virtually all systems on the network. Each system will then respond to the system that sent it flooding this system with ICMP echo replies.
  • Spoofed source broadcast ping. The smurf attack spoofs the source address with the address of the victim, and then sends it out as a broadcast ping. Each system on the network will then respond, and flood the victim with echo replies.
There's an important point to remember though. Routers do not pass broadcast packets. This was actually a change in RFC 2644 released in 1999 in direct response to smurf attacks and the use of networks as smurf amplifiers. RFC 2644 is an update to RFC 1812 which stated that a router must default to forwarding directed broadcasts. Routers today comply with RFC 2644 so smurf attacks are limited to a broadcast domain. They will not go beyond a router.

With this in mind, it would be rare to see a smurf attack. However, that doesn't mean it won't be tested.

Note: Many firewalls block ICMP packets to prevent any type of attack using ICMP. If a ping succeeds, it verifies that the system is operational. However, if a ping fails it doesn't prove that the system is not operational. ICMP may be blocked preventing the ping.

Studying SSCP?
This book covers the new objectives effective Feb 1, 2012.
SSCP Systems Security Certified Practitioner All-in-One Exam Guide

Fraggle Attack

Fraggle attacks are similar to smurf attacks but instead of using ICMP, they use UDP ports 7 and 19.

As described earlier, the ping command uses ICMP and it is used to check if a system is operational. Tools are available that use UDP instead of ICMP and instead of checking to see if a system is operational, they check to see if the system is listening on a specific port. This is commonly done with many different types of vulnerability scanners used by both attackers and security administrators.

Chargen (character generator) is an older protocol described in RFC 864 (dated May 1983). A system listens on either TCP or UDP port 19 (known as the chargen port) for chargen requests. When a connection is established to this port, the system would respond with a constant stream of characters to the original system. Typically the original system would use TCP or UDP port 7 (known as the echo port) but this isn't required. When the original system begins receiving the characters, it knows the target system is operational, and closes the connection.

In a fraggle attack, a spoofed broadcast packet is sent to port 17. The spoofed address is the address of the victim. Since it is broadcast, it goes to every system on the network. If port 17 is open and the character generator service is running on these systems, they will send a stream of characters to the victim.

Realistically, systems today will not have port 17 open or the chargen service running. Additionally, routers do not pass broadcasts so any attacks are limited to a single network. Said another way, it is very unlikely you will ever see a fraggle attack today.

Looking for quality Practice Test Questions for the SY0-301 Security+ exam?
CompTIA Security+: Get Certified Get Ahead- SY0-301 Practice Test Questions

Basic Protection

In addition to ensuring that routers are configured in compliance with RFC 2644 and do not pass broadcasts, there are some other basic steps that protect you from these types of attacks:
  • Disable unnecessary services and protocols. If a service or protocol is not needed on a system, it should not be enabled. I cannot think of a system in use today that would need the chargen service so it should be disabled if it is even available on the system.
  • Close unneeded ports. If a port is not needed, it should be closed on both network-based and host-based firewalls. With the port closed, all traffic is blocked and attacks are stopped.
  • Use ingress filters on firewalls. Don't allow traffic into a network that shouldn't be there. A common ingress filter on a boundary firewall (between the Internet and an internal network), blocks all traffic coming from the Internet with a spoofed private IP address.


In summary, DoS attacks such as smurf and fraggle attacks attempt to prevent a system from responding to legitimate attacks. A smurf attack sends a broadcast ping with a spoofed IP address (the IP address of the victim), and ping uses ICMP. A fraggle attack uses UDP ports 7 and 19 instead of ICMP, and sends broadcast UDP traffic with a spoofed IP address (the IP address of the victim).