Saturday, February 16, 2013

Smurf Attacks

If you're planning on taking the Security+SSCP, or CISSP exam you should know about many of the attack types such as the smurf attack.  As an example, Objective "3.2 Analyze and differentiate among types of attacks"  for the CompTIA Security+ exam lists several common types of attacks including the smurf attack.

A smurf attack spoofs the source address of a broadcast ping packet to flood a victim with ping replies. That's a complex sentence, so it's worthwhile breaking this down. 

A Ping is Normally Unicast

A ping is normally a unicast message sent from one computer to one computer. It sends ICMP echo requests to one computer, and the receiving computer responds with ICMP echo responses.  Figure 1 shows how this works. Computer 1 is sending out a unicast ping to computer 3 and computer 3 responds with ICMP replies.
Ping uses unicast
Figure 1
If you receive the responses you know that the other computer is operational.

Note: Because ICMP is used in many types of attacks, many firewalls block ICMP echo requests. If you don't receive ping responses back it doesn't necessarily mean the other computer is not operational. It could be because the ping is being blocked by a firewall.

On Windows systems, ping sends out four ICMP requests and gets back four replies. On  some other operating systems, ping continues until stopped. You can add the -t switch to ping on Windows systems causing ping requests to continue until stopped.
Pass the Security+ exam the first time you take it:
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide

A Smurf Attack Sends the Ping Out as a Broadcast

Instead of using a unicast message, a smurf attack sends out the ping request as a broadcast.  In a broadcast, one computer sends the packet to all other computers in the subnet. These computers then reply to the single computer that sent the broadcast ping as shown in Figure 2. Computer 1 is sending out a broadcast ping to all the computers on the subnet and each one of them are now responding, flooding the computer with ping replies.
Ping using broadcast instead of unicast
Figure 2
If computer 1 is the attacker, the results of Figure 2 aren't very beneficial.  If something isn't changed, the attacker gets attacked.

The Smurf Attack Spoofs the Source IP

If the source IP address isn’t changed, the computer sending out the broadcast ping will get flooded with the ICMP replies. Instead, the smurf attack substitutes the source IP with the IP address of the victim, and the victim gets flooded with these ICMP replies. Figure 3 shows how computer 1 can send out the smurf attack using computer 2's IP address as the source IP address. All the computers on the subnet then flood computer 2 with ICMP replies.
Broadcast ping spoofing the source IP address
Figure 3

Smurf Attacks Use Amplifying Networks

A smurf amplifier is a computer network used in a smurf attack. This is easily prevented by blocking IP directed broadcasts used by smurf attacks. However, if a router or a firewall isn't configured to protect the network, it can become part of the attack.

Figure 4 shows how this works. The attacker (computer 1) sends a broadcast ping into the amplifying network with a spoofed source IP address of computer 6. Each computer in the amplifying network receives the broadcast and then responds by flooding the victim (computer 6) with ping replies.
Smurf attack using amplifying network
Figure 4

Not Blue Packets

The rumor that a smurf attack is one where attackers send out little blue packets that report back to Papa Smurf is simply not true.


Ensure you understand the basics of a smurf attack when taking any security-based exam such as the Security+SSCP, or CISSP exams. A smurf attack spoofs the source address of a broadcast ping packet to flood a victim with ping replies. Smurf attacks are known to use amplifying networks but administrators commonly block this rules on a router or firewall.