A Smurf attack is a very unique but popular method of attack. It can bring down a Web server and an Internet router. A Smurf attack is based on the broadcast addressing feature of IP that allows a host to send data to every hosts within a subnet.
A basic Smurf attack occurs when a victim's host is flooded with Internet Control Message Protocol (ICMP) request packets, in which the reply address is set to the broadcast address of the victim's network. Every host within the network would then reply to the ICMP request. This would generate a lot of traffic and possibly bring the network down.
An advanced Smurf attack occurs the same way as the basic attack but with the source of the echo request configured to respond to a third party victim. This victim will receive the echo request that come from the targeted subnet. This attack is very beneficial to hackers because they are able to use a slow link to send a large amount of ping traffic anywhere on the Internet. The hacker can base his attack on a network with a very large link to the Internet and this allows the hacker to attack networks with links that are much larger than their own.
To prevent a Smurf attack, it is important to shut off the broadcast addressing feature of the external router and firewall. Most older routers default to allowing directed broadcast. It is important to note that IP directed broadcast should be disabled on all routers and interfaces that do not need it. On Cisco routers the command "no ip directed-broadcast" should be applied to each interface. You can also configure your firewall to drop ICMP messages. There is also a site that can help you determine if our ISP is vulnerable to a Smurf attack: http://www.powertech.no/smurf/.
Asta Networks has developed a software package that can detect Smurf attacks at the start of the attack. The name of the package is the Vantage System. With a Web-based management console, a network administrator can monitor the network to watch for attacks. When the software detects an attack it would send an e-mail alert to the designated administrator.
Remember that it is up to the network administrator to make sure that their organization's network has the proper tools and is configured to prevent and to recognize a Smurf attack before it brings the entire network down.
This was first published in February 2002