The smurf DDoS Attack
In the smurf DDoS attack,
the attacker provides a spoofed source address,
when sending an ICMP echo, or ping,
to an IP broadcast address as the destination
(The name smurf was adopted after the name of the blue cartoon
characters who tended to flood into all locations) :
|
- the attacker sends ICMP Echo Request
packets where the source IP
address has been forged to be that of the target of the attack.
- the attacker sends these ICMP datagrams to addresses of remote LANs'
broadcast addresses, using so-called directed broadcast addresses. These
datagrams are thus broadcast on the LANs by the connected router,
- all the hosts which are alive on the LAN each pick up a copy of
the ICMP Echo Request datagram, and sends an
ICMP Echo Reply datagram back to what they think is the source.
- the attacker can use large packets
(typically to the Ethernet 1500 byte maximum)
to increase the effectiveness of the attack.
The use of broadcast addresses for protocol attacks is termed
amplification.
|
The smurf attack has 3 types of victims:
- the single destination victim of the attack,
- a network abused (temporarily) to amplify the attack, and
- (always) the host harboring the attacker.
One way to defeat smurfing is to disable IP broadcast addressing at each
internal network router,
however this strictly violates RFC-1812,
'Requirements for IP Version 4 Routers'.
CITS3002 Computer Networks, Lecture 11, Security of TCP/IP, p12, 15th May 2024.
|
CITS3002