Understanding a Smurf attack is the first step toward thwarting one

Ways to minimize the damage of a Smurf attack

Smurf attacks can be devastating, both to the victim network and to the network(s) used to amplify the attack. An Internet Control Message Protocol (ICMP) Smurf attack is a brute-force attack on the direct broadcast feature that is built in to the IP protocol. The players in this type of denial of service attack include the following:
  • The hacker
  • The intermediary (also known as the amplifier)
  • The victim

We’re going to take a look at how this attack is launched and how you can keep your network from being hit by or amplifying a Smurf attack.

How a Smurf attack works
A Smurf attack is not terribly sophisticated; it’s just a matter of routing and letting IP take its course. The attack usually unfolds in five simple steps:
  1. Hacker identifies a victim IP address (your Web server is usually a nice high-profile target).
  2. Hacker identifies an intermediary site that will amplify the attack (usually several are selected, to further disguise the attack).
  3. Hacker sends a large amount of ICMP (ping, layer 3) traffic at the broadcast address of the intermediary sites. These packets have the source IP address spoofed to point towards the victim.
  4. Intermediaries deliver the broadcast at layer 2 to all the hosts on their subnet.
  5. Hosts reply to the victim network.

You might be asking, “How could a little ping traffic take down a site?” Well, suppose the hacker has a cable modem or a T-1 connection and sends a 1-Mbps spoofed ICMP stream at the intermediary sites. Now suppose the intermediary sites have 150 hosts that respond. This yields a 150-Mbps attack traveling from the “amplifiers” toward the victim. The hacker can keep this up as long as he has a connection and as long as the amplifiers continue to broadcast the ICMP traffic.

Don’t be a part of the problem
First, don’t let someone on your network perpetrate this type of attack on someone else. In order for the attack to start, the first network had to let a source-spoofed IP packet leave its network.

You can stop this kind of attack from leaving your network by applying an outbound filter to your perimeter router. An example of how to accomplish this with a Cisco router would be:
Access-list 100 permit IP {your network} {your network mask} any
Access-list 100 deny IP any any

Apply this access list to your network’s outbound connection on your perimeter router. This stops anybody on your network from sending source-spoofed packets outside the local network.

Second, stop your network from being used as an amplifier. Unless you absolutely need broadcast capability outside your network, use the no ip directed-broadcast command on every interface on your router.

Alternatively, if you’re running a larger, more robust network with multiple routers, use the ip verify unicast reverse-path command on your perimeter router, and the router will verify that it has a reverse path for the spoofed ICMP packet and drop the packet if no path exists. You must have Cisco Express Forwarding (CEF), or something similar from another vendor, running because the lookup uses the Forwarding Information Base (FIB) that CEF creates.

Stemming the tide
If you’re the victim of a Smurf attack, there are a couple of steps you can take to limit the effect of this type of attack. Under a recent change to the Cisco IOS, packets denied by an access list will be dropped at the fast level interrupt (close to hardware speed). With the exception of two packets per second per access-list line, these two packets will be used to send an ICMP unreachable message back to the amplifier. So if you don’t want people to ping your target, block inbound pings. If you log this access-list entry, use the ip icmp rate-limit unreachable command.

If you must allow ping, you can limit the amount of ICMP traffic by implementing Committed Access Rate (CAR). This is where you can limit the amount of traffic identified by an access list. Here’s another Cisco IOS example:
��config t
�� Access-list 100 permit icmp any {your network} {your subnet} echo-reply
�� Access-list 100 permit icmp any (your Network) (your Subnet) echo
�� Interface e1
�� Rate-limit input access-group 100 512000 8000 8000 conform action transmit exceed action drop

This example limits ICMP transmission to 512 Kbps with a transmit burst rate of 8,000 bits. All exceeding packets are dropped. More than one rate-limit command can be added to an interface in order to control other kinds of traffic.

Finding the hacker
Locating the person who launched a Smurf attack against you is difficult but not impossible. Decide before you start your hunt whether you’re going to involve law enforcement. If you are, preserve all the log files and contact the FBI.

To track down the true source of this type of attack, you should take the following steps:
  1. Determine the amplifiers’ IP space and contact their network administrator. Remember that the packets you are seeing are coming from the amplifier, not the hacker.
  2. Ask them to log inbound traffic from your victim IP address. These will be the source-spoofed packets.
  3. Get the MAC address of the source-spoofed packets and have them do a show ip arp (if using Cisco IOS) on that MAC address.
  4. The results will yield the hop from which the source-spoofed packets came.
  5. Find who controls the router from that hop and contact their network administrator.
  6. Repeat steps 2-5 until you find a router that has a direct link to the MAC address you’re tracking.

Summing up
Keep your network safe from the attack by filtering your outbound traffic, and ensure that you are not an amplifier of this attack by limiting broadcast traffic appropriately. If you do get hit, I’ve shown you some ways to minimize the damage and track down the culprit. Smurf attacks can be devastating, but proper preparation can minimize their ability to propagate and their effect on your network.

How have you dealt with Smurf attacks?
We look forward to getting your input and hearing your experiences regarding this topic. Post a comment or a question about this article.