Editing Smurf attack

{{Short description|Type of  attack on a computer network}}

[[File:Ddos-attack-ex.png|thumb|alt=Diagram of the attack]]
A '''Smurf attack''' is a [[distributed denial-of-service attack]] in which large numbers of [[Internet Control Message Protocol]] (ICMP) packets with the intended victim's [[IP address spoofing|spoofed]] source IP are broadcast to a [[computer network]] using an IP [[broadcast address]].<ref>{{Cite journal |last=Sun |first=Fei Xian |date=2011 |title=Danger Theory Based Risk Evaluation Model for Smurf Attacks |url=https://www.scientific.net/KEM.467-469.515 |journal=Key Engineering Materials |language=en |volume=467-469 |pages=515–521 |doi=10.4028/www.scientific.net/KEM.467-469.515 |s2cid=110045205 |issn=1662-9795|url-access=subscription }}</ref> Most devices on a network will, by default, respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, the victim's computer will be flooded with traffic. This can slow down the victim's computer to the point where it becomes impossible to work on.

==History==
The original tool for creating a Smurf attack was written by Dan Moschuk (alias TFreak) in 1997.<ref>{{cite web|url=http://hackepedia.org/?title=Tfreak |title=Tfreak |publisher=Hackepedia |date=2013-03-28 |accessdate=2019-11-13}}</ref><ref>{{Cite web |last=Pramatarov |first=Martin |date=2021-09-09 |title=What is a Smurf DDoS attack? |url=https://www.cloudns.net/blog/what-is-smurf-ddos-attack/ |access-date=2022-09-15 |website=ClouDNS Blog |language=en-US}}</ref>

In the late 1990s, many IP networks would participate in Smurf attacks if prompted (that is, they would respond to ICMP requests sent to broadcast addresses). The name comes from the idea of very small, but numerous attackers overwhelming a much larger opponent (see [[Smurfs]]). Today, administrators can make a network immune to such abuse; therefore, very few networks remain vulnerable to Smurf attacks.<ref>For example, [https://web.archive.org/web/19990125091051/http://www.netscan.org/ netscan.org (Web Archive)] showed 122,945 broken networks as of Jan 25, 1999, but only 2,417 as of Jan 06, 2005.</ref>

==Method==
A '''Smurf amplifier''' is a computer network that lends itself to being used in a Smurf attack. Smurf amplifiers act to worsen the severity of a Smurf attack because they are configured in such a way that they generate a large number of [[Internet Control Message Protocol|ICMP]] replies to the victim at the spoofed source IP address.

In DDoS, ''[[Denial-of-service attack|amplification]]'' is the degree of bandwidth enhancement that an original attack traffic undergoes (with the help of Smurf amplifiers) during its transmission towards the victim computer. An amplification factor of 100, for example, means that an attacker could manage to create 100&nbsp;Mb/s of traffic using just 1&nbsp;Mb/s of its own bandwidth.<ref>S. Kumar (5 July 2007). {{cite book|chapter-url=https://ieeexplore.ieee.org/document/4271771|chapter=Smurf-based Distributed Denial of Service (DDoS) Attack Amplification in Internet|website=IEEE Xplore|year=2007|doi=10.1109/ICIMP.2007.42|s2cid=14876546|language=en|access-date=2020-12-30|last1=Kumar|first1=Sanjeev|title=Second International Conference on Internet Monitoring and Protection (ICIMP 2007) |page=25|isbn=978-0-7695-2911-0}}</ref>

Under the assumption no countermeasures are taken to dampen the effect of a Smurf attack, this is what happens in the target network with ''n'' active hosts (that will respond to ICMP echo requests).
The ICMP echo request packets have a spoofed source address (the Smurfs' target) and a destination address (the patsy; the apparent source of the attack). Both addresses can take two forms: [[unicast]] and [[Broadcasting (networking)|broadcast]].

The dual unicast form is comparable with a regular ping: an ICMP echo request is sent to the patsy (a single host), which sends a single ICMP echo reply (a Smurf) back to the target (the single host in the source address). This type of attack has an amplification factor of 1, which means: just a single Smurf per ping.

When the target is a unicast address and the destination is the broadcast address of the target's network, then all hosts in the network will receive an echo request. In return they will each reply to the target, so the target is swamped with ''n'' Smurfs. Amplification factor = ''n''. If ''n'' is small, a host may be hindered but not crippled. If ''n'' is large, a host may come to a halt.

If the target is the broadcast address and the patsy a unicast address, each host in the network will receive a single Smurf per ping, so an amplification factor of 1 per host, but a factor of ''n'' for the network. Generally, a network would be able to cope with this form of the attack, if ''n'' is not too great.

When both the source and destination address in the original packet are set to the broadcast address of the target network, things start to get out of hand quickly. All hosts receive an echo request, but all replies to that are broadcast again to all hosts. Each host will receive an initial ping, broadcast the reply and get a reply from all ''n-1'' hosts. An amplification factor of ''n'' for a single host, but an amplification factor of ''n<sup>2</sup>'' for the network.

ICMP echo requests are typically sent once a second. The reply should contain the contents of the request; a few bytes, normally. A single (double broadcast) ping to a network with 100 hosts causes the network to process {{gaps|10|000}} packets. If the payload of the ping is increased to {{gaps|15|000}} bytes (or 10 full packets in [[Ethernet]]) then that ping will cause the network to have to process {{gaps|100|000}} large packets per second. Send more packets per second, and any network would collapse under the load. This will render any host in the network unreachable for as long as the attack lasts.

==Effect==
A Smurf attack can overwhelm servers and networks. The bandwidth of the communication network can be exhausted resulting in the communication network becoming paralyzed.<ref>{{Cite journal |last=Hartanto |first=Sri |date=2023-07-30 |others=Sri Hartanto |title=The Impact of Smurf Attack on Web Server in Communication Network and its Preventions |url=https://journal.multitechpublisher.com/index.php/ijsas/article/view/138 |journal=International Journal of Sustainable Applied Sciences  |language=en |volume=1 |issue=1 |pages=35–46 |issn=3025-5597}}</ref>

==Mitigation==
The fix is two-fold:
#Configure hosts and routers to ignore packets where the destination address is a broadcast address; and
#Configure routers to not forward packets directed to broadcast addresses. Until 1999, standards required routers to forward such packets by default. Since then, the default standard was changed to not forward such packets.{{Ref RFC|2644}}

It's also important for ISPs to implement [[ingress filtering]], which rejects the attacking packets on the basis of the forged source address.{{Ref RFC|2827}}

===Mitigation on a Cisco router===
An example of configuring a router so it will not forward packets to broadcast addresses, for a [[Cisco Systems|Cisco]] router, is:
:{{code|Router(config-if)# no ip directed-broadcast}}<ref>{{cite web|url=https://www.cisco.com/c/en/us/about/security-center/guide-ddos-defense.html|title=A Cisco Guide to Defending Against Distributed Denial of Service Attacks|website=Cisco|language=en|access-date=2019-09-26}}</ref>

(This example does not protect a network from becoming the ''target'' of a Smurf attack; it merely prevents the network from ''participating'' in a Smurf attack.)

=={{anchor|Fraggle Attack}}Fraggle attack==
A Fraggle attack (named for the creatures in the puppet TV series ''[[Fraggle Rock]]'') is a variation of a Smurf attack where an attacker sends a large amount of [[User Datagram Protocol|UDP]] traffic to ports 7 ([[Echo Protocol|Echo]]) and 19 ([[Character Generator Protocol|CHARGEN]]). It works similarly to the Smurf attack in that many computers on the network will respond to this traffic by sending traffic back to the spoofed source IP of the victim, flooding it with traffic.<ref>{{cite web
 |url = https://security.radware.com/ddos-knowledge-center/ddospedia/fraggle-attack/
 |title = Fraggle attack
 |date = 23 March 2016
 |first = William
 |last = Hendric
}}</ref>

{{code|Fraggle.c}}, the [[source code]] of the attack, was also released by TFreak.<ref>{{Cite book |last=Anonymous |url=https://books.google.com/books?id=3jqBnS4b3EgC&pg=PA310 |title=Maximum Security |date=2003 |publisher=Sams Publishing |isbn=978-0-672-32459-8 |language=en}}</ref>

==See also==
* [[Denial-of-service attack]]
* [[Ping flood]]
* [[Smurf Amplifier Registry]]

==References==
{{reflist}}

== External links ==

* ''[https://web.archive.org/web/20121107175456/http://www.pentics.net/denial-of-service/white-papers/smurf.cgi The Latest In Denial Of Service Attacks: "Smurfing"]'', Craig A. Huegen, 1997.
*

{{DEFAULTSORT:smurf attack}}
[[Category:Denial-of-service attacks]]