How can you tell if you've been hit by a Smurf attack?

Admins who haven't hardened their networks to prevent a Smurf attack should learn how to tell if they've been hit. Read what members say are the telltale signs of an attack and learn some tips for recovery.

Although you can reduce the odds of a Smurf attack on your network by following the recommendations in Mike Mullins' article "Don't be the victim or amplifier of a Smurf attack," you may still get hit. Thus, it's important for administrators to be able to quickly detect and respond as soon as possible. How can you do that? That's the question one member posed in the discussion that followed Mullins' article. Here's a look at how you can recognize that you've been hit by a Smurf attack and a few tips for recovering from such an attack.

Understanding the Smurf attack
A Smurf attack is primarily a denial of service attack that takes advantage of the direct broadcast feature of the IP protocol. The hacker who launches the attack typically uses other people's routers to amplify the attack to disguise its origin. If the attacker finds a large network to use as an amplifier, the amount of ping traffic that is focused on the victim can compound dramatically.

Only network administrators who have done extensive network baselining have a chance of telling if their networks are being used as an intermediary. And if they've gone to the trouble of baselining, they are probably not allowing their routers to forward indiscriminate broadcasts anyway.

What to do if you get hit
When Anil.gupta asked how to tell when a network is being attacked, several members jumped in with suggestions. JonP said that complaints would escalate when users couldn't reach the Internet.

He said, "Your support phone will be ringing itself to death!" He suggested checking the router logs, which should tell the ugly story.

"Your bandwidth is going to get eaten by this, your router will be going into meltdown, and the target server is likely to have crashed," JonP said.

If you're the victim of a Smurf attack, he suggested that you unplug the router from the Internet, since you aren't going to have access anyway. Without the barrage of inbound traffic, you can go about the business of repairing the damage. He also suggested that you configure your router/firewall to disallow inbound ICMP traffic. If you can convince your ISP to drop that kind of traffic so their routers won't have to work so hard, they might even help you trace the attack back to its source, he said.

For an even earlier warning that your network may be under a Smurf attack, ARG CIO suggested that network administrators baseline their networks.

"If your bandwidth makes a sudden jump from normal benchmarks, it's time to check into why," he said.

"Take benchmarks at different times of the day. I take 'photo' benchmarks every 15 minutes to check utilization during the day. If my utilization is usually 23 percent at 12:15 P.M., but today it's at 87 percent, it's time to take a look at what's going on."

The combination of Mullins’ article and these tips should help you protect your network from a Smurf attack and the resulting denial of service event.

How quickly would you know if you were under attack?
If someone tried to launch an attack against your network, how quickly would you know it? What would be your first response? Send us a note or post a comment in the discussion below.