How to prevent a Smurf attack

A Smurf attack is a very unique but popular method of attack. It can bring down a Web server and an Internet router. A Smurf attack is based on the broadcast addressing feature of IP that allows a host to send data to every hosts within a subnet.

A basic Smurf attack occurs when a victim's host is flooded with Internet Control Message Protocol (ICMP) request packets, in which the reply address is set to the broadcast address of the victim's network. Every host within the network would then reply to the ICMP request. This would generate a lot of traffic and possibly bring the network down.

An advanced Smurf attack occurs the same way as the basic attack but with the source of the echo request configured to respond to a third party victim. This victim will receive the echo request that come from the targeted subnet. This attack is very beneficial to hackers because they are able to use a slow link to send a large amount of ping traffic anywhere on the Internet. The hacker can base his attack on a network with a very large link to the Internet and this allows the hacker to attack networks with links that are much larger than their own.

To prevent a Smurf attack, it is important to shut off the broadcast addressing feature of the external router and firewall. Most older routers default to allowing directed broadcast. It is important to note that IP directed broadcast should be disabled on all routers and interfaces that do not need it. On Cisco routers the command "no ip directed-broadcast" should be applied to each interface. You can also configure your firewall to drop ICMP messages. There is also a site that can help you determine if our ISP is vulnerable to a Smurf attack: http://www.powertech.no/smurf/.

Asta Networks has developed a software package that can detect Smurf attacks at the start of the attack. The name of the package is the Vantage System. With a Web-based management console, a network administrator can monitor the network to watch for attacks. When the software detects an attack it would send an e-mail alert to the designated administrator.

Remember that it is up to the network administrator to make sure that their organization's network has the proper tools and is configured to prevent and to recognize a Smurf attack before it brings the entire network down.

This was first published in February 2002

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.