Ask the Expert

Can smurf attacks cause more than just a denial of service?

Can Smurf attacks do anything besides slow your network down?

    Requires Free Membership to View

Smurf attacks were one of the first network-based denial-of-service attacks to widely affect systems attached to the Internet. The Computer Emergency Response Team (CERT) first issued an advisory on smurf attacks in January 1998.

A smurf attack floods a network with unwanted traffic, and attackers pull this off by taking advantage of a design flaw in the Internet Control Message Protocol (ICMP) echo request/reply protocol, also called a "ping."

A ping allows remote systems to quickly determine whether another system is live on the network. If system X wants to "ping" system Y, it sends an ICMP echo request packet with a source address of X and a destination address of Y. When Y receives the echo request, it reads the source address (in this case, X) and sends an ICMP echo reply message back to the originating host. These replies quickly add up and, when repeated, can overwhelm the victim system, causing a denial of service.

In a smurf attack, a malicious system creates a fake ICMP echo request packet, using the victim system's IP address as the source address. Instead of sending this packet to a single system, the attacker sends it to a broadcast address, causing hundreds or thousands of systems to receive the request. Those systems all read the source address of the echo request and send back an echo reply to the victim system.

Now, 10 years after that first advisory, the smurf attack is generally regarded as a resolved threat, for two reasons. First, modern operating systems simply won't respond to an ICMP echo request that has a broadcast source address. Second, it's fairly simple to block inbound broadcast traffic at the router or firewall layer. For example, on Cisco routers, the command:

no ip directed-broadcast

will stop the use of the router if a smurf attack is detected.

So, the short answer to your question is no. Smurf attacks are strictly denial-of-service attacks and do not jeopardize the confidentiality or integrity of your data.

More information:

  • Hackers use DNS amplification attacks to flood packets and generate bogus traffic. Security expert Ed Skoudis reviews the threat.
  • Should service providers be doing more to prevent DDoS attacks?
  • This was first published in May 2007

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: