Tuesday, October 12, 2004

SMURF ???

Wondering, What is a SMURF Attack ???

The SMURF Attack, named after its exploit program, is a denial-of-service attack which uses spoofed broadcast ping messages to flood a target system.

In such an attack, a perpetrator sends a large amount of ICMP echo (ping) traffic at IP broadcast addresses, all of it having a spoofed source address of a victim. If the routing device delivering traffic to those broadcast addresses performs the IP broadcast to layer 2 broadcast function, most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply each, multiplying the traffic by the number of hosts responding. On a multi-access broadcast network, there could potentially be hundreds of machines to reply to each packet.

Several years ago, most IP networks could be thus used in smurf attacks -- in the lingo, they were "smurfable". Today, thanks largely to the ease with which a network can be made immune to this abuse, very few networks remain smurfable. http://www.netscan.org

To secure a network with a Cisco router from being used in a smurf attack, the router command no ip directed-broadcast will suffice.

Definations from google...

Google - define:SMURF Attack

A malicious attack where the hacker sends a large number of spoofed ping packets to broadcast addresses, with the intent that these packets will be magnified and sent to the spoofed addresses. This has exponential possibilities, depending on how many hosts respond. (link)

A Denial of Service attack that floods its target with replies to ICMP echo (PING) requests. A smurf attack sends PING requests to internet broadcast addresses, which forward the PING requests to up to 255 hosts on a subnet. The return address of the PING request is spoofed to be the address of the attack target. All hosts receiving the PING requests reply to the attack target, flooding it with replies. (link)

An attack against availability based in part on an attack on authenticity. Smurf uses a broadcast ICMP echo (ping) with a spoofed source address, resulting in a high volume of responses to the spoofed system. (link)

2 comments:

Sankar said...

Hi,
I stumbled across your blog today. This is a great site and the content is very good.
Keep it going.
Sankar

umesh said...

thanks