Smurf attack

Smurf attacks works the same way as ICMP flood, however it uses other networks to multiply the number of requests. Smurf attack is based on sending a large amount of ICMP echo traffic (for more information about ICMP echo requests, read the article on ICPM flood) with a spoofed source address of the victim network to broadcast server. Spoofing source address is tricking the receiving system to think, that the request came from a third server and thereby making it respond to some other computer than the one that sent the request.

When the broadcast server (amplifier) receives the echo/ping traffic it automatically delivers it to all the computers in its network. All computers in the network respond to the request, thereby multiplying the amount of requests sent to the victim by the number of computers in the network.

How not to become amplifier for Smurf attack

1. Configure individual computers and routers in your network not to respond to broadcast pings.

2. Configure routers not to forward any packets that are directly sent to broadcast addresses. Until 1999 it was a standard for routers to broadcast the packets, making Smurf attacking much easier. However now days it is recommended to switch off the direct broadcasting feature.

3. Use ingress filtering to sort out spoofed packets. This might, however have a negative effect on performance, however is also a great tool for tracking the attack.

How to stop Smurf attack?

Just like ICMP floods, Smurf attacks are very hard to stop. Few steps can be taken to stop them once they have started.

1. Set a rate limit on ICMP traffic volume on your network. By doing this not all of the packets reach your service, thereby not halting it.

2. Contact your internet service provider immediately. Only they can totally limit the number of packets that reach your site. A poorly configured firewall can be brought to the knees despite the traffic filters applied.