Monday, June 24, 2013

Identify Smurf Attacks in the Security+ Exam

Identify Smurf Attacks

Can you identify smurf attacks? The Security+ exam expects you to to be able to analyze and differentiate different types of attacks, including a smurf attack so you should understand how it works.

Performance Based Questions

Topics such as identifying attacks are ideally suited for the new performance based questions on the CompTIA Security+ exam. Instead of answering a multiple choice question, you might need to identify an attack shown in a diagram. If you're unfamiliar with the new performance based questions, check out these blogs too:

Identify Smurf Attacks - An Overview

A smurf attack spoofs the source address of a broadcast ping packet to flood a victim with ping replies. That's a complex sentence, so it's worthwhile breaking this down.
  • A ping is normally a unicast message
  • A smurf attack sends a ping as a broadcast instead of a unicast
  • The smurf attack spoofs the source IP address using the IP address of the victim
  • Other systems on the network flood the victim with pings

A Ping is Normally Unicast

A ping is normally a unicast message sent from one computer to one computer. It sends ICMP echo requests to one computer, and the receiving computer responds with ICMP echo responses.  Figure 1 shows how this works. Computer 1 is sending out a unicast ping to computer 3 and computer 3 responds with ICMP replies.
Identify Smurf Attacks Ping uses unicast
Figure 1
If you receive the responses you know that the other computer is operational.

Note: Because ICMP is used in many types of attacks, many firewalls block ICMP echo requests. If you don't receive ping responses back it doesn't necessarily mean the other computer is not operational. It could be because the ping is being blocked by a firewall.

On Windows systems, ping sends out four ICMP requests and gets back four replies. On  some other operating systems, ping continues until stopped. You can add the -t switch to ping on Windows systems causing ping requests to continue until stopped.
Pass the Security+ exam the first time you take it:
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide

A Smurf Attack Sends the Ping Out as a Broadcast

Instead of using a unicast message, a smurf attack sends out the ping request as a broadcast.  In a broadcast, one computer sends the packet to all other computers in the subnet. These computers then reply to the single computer that sent the broadcast ping as shown in Figure 2. Computer 1 is sending out a broadcast ping to all the computers on the subnet and each one of them are now responding, flooding the computer with ping replies.
Identify Smurf Attacks Ping using broadcast instead of unicast
Figure 2
If computer 1 is the attacker, the results of Figure 2 aren't very beneficial.  If something isn't changed, the attacker gets attacked.

The Smurf Attack Spoofs the Source IP

If the source IP address isn’t changed, the computer sending out the broadcast ping will get flooded with the ICMP replies. Instead, the smurf attack substitutes the source IP with the IP address of the victim, and the victim gets flooded with these ICMP replies. 

Figure 3 shows how computer 1 can send out the smurf attack using computer 2's IP address as the source IP address. All the computers on the subnet then flood computer 2 with ICMP replies.
Identify Smurf Attacks Broadcast ping spoofing the source IP address
Figure 3

Smurf Attacks Use Amplifying Networks

A smurf amplifier is a computer network used in a smurf attack. This is easily prevented by blocking IP directed broadcasts used by smurf attacks. However, if a router or a firewall isn't configured to protect the network, it can become part of the attack.

Figure 4 shows how this works. The attacker (computer 1) sends a broadcast ping into the amplifying network with a spoofed source IP address of computer 6. Each computer in the amplifying network receives the broadcast and then responds by flooding the victim (computer 6) with ping replies.
Identify Smurf Attacks Smurf attack using amplifying network
Figure 4

Not Blue Packets

The rumor that a smurf attack is one where attackers send out little blue packets that report back to Papa Smurf is simply not true.
Identify Smurf Attacks Smurfs


Ensure you understand the basics of a smurf attack when taking any security-based exam such as the Security+SSCP, or CISSP exams. A smurf attack spoofs the source address of a broadcast ping packet to flood a victim with ping replies. Smurf attacks are known to use amplifying networks but administrators commonly block this rules on a router or firewall.