Smurf Attack 101: History, M.O., Consequences

[harlan4096]

Find Out What is a Smurf Attack and How It Works. Do You Know How Can You Keep Your Business Systems Safe?

The Smurf Attack is one of the oldest, simplest and effective cyber-attacks, one that can draw down many unpleasant consequences for any targeted company. Before trying to understand what is a Smurf Attack, we must first understand the concepts of DoS and DDoS.

Denial-of-Service or Distributed Denial-of-Service attacks generally try to make a network’s resources unavailable for legitimate users. This usually happens by sending attacks to it from multiple points of the network. DDoS attacks can be classified as follows: 

Flood attacks: in this type of attack, multiple compromised devices called bots or zombies send large volumes of traffic to a victim’s system. Flood attacks use packets of HyperText Transfer Protocol (HTTP), Internet Control Message Protocol (ICMP), User Datagram Protocol (UDP) or Session Initiation Protocol (SIP).

Amplification attacks: these attacks imply zombies sending messages to a broadcasted IP address:  “This principle will cause all the systems in the subnet reached by the broadcasted address to send a reply to the victim’s system.”

Coremelt attacks:  as Shi Dong and Mudar Sarem explain, “in this attack, the zombies can be divided into two groups. The attacker designates the zombies to communicate with the zombies in another group which will lead to sending and receiving huge data. When communication happens, it is difficult to track this attack through legitimate packets. In fact, in this Coremelt Attack, the Attack’s target is not the single host, but also the zombies, and by communicating with each other, they create network flood [16]. So, large numbers of packets are sent to the same host, the destination IP address, and the port number. Then, eventually, the system will crash. “

TCP SYN attacks: in this attack, hackers use TCP vulnerabilities by sending a large number of SYN requests to the server. Dong and Sarem explain why this is troublesome: “The server replies to the request by sending SYN + ACK packet and waits for the ACK packet from the client. Let us suppose that the attacker does not send the ACK packet, and the server waits for non-existent ACK. The limited buffer queue of the server becomes full and the incoming valid requests will be rejected.”

Authentication Server attacks: during this type of attack, the authentication server checks the attacker’s bogus signature, thus consuming more resources than it would normally do for generating the signature.

CGI Request attacks: this kind of attack implies that the hackers send a large number of CGI requests – this uses up the victim’s CPU cycles and resources. 
Smurf Attack – Definition The most common types of DDoS amplification attacks are Smurf Attack and Fraggle Attack. 

A Smurf Attack is a DDoS form that makes computer networks inoperable by exploiting IP (Internet Protocol) and ICMP (Internet Control Message Protocols) vulnerabilities. 

The first Smurf Attack goes back to the 1990s, when the University of Minnesota was targeted in 1998. The Minnesota Smurf Attack lasted more than an hour and “set off a chain reaction throughout the state, shutting down some computers entirely and in other cases causing data loss and network slowdowns.” 

As Techslang says, “The attack created a cyber traffic jam that also affected the rest of Minnesota, including Minnesota Regional Network (MRNet), one of the state’s Internet service providers (ISPs). As a result, MRNet’s clients, which included small businesses, Fortune 500 corporations, and universities, were also affected.”

There are two types of Smurf Attack:

a. BasicIn the Basic Smurf Attack, the seemingly endless ICMP request packages include a source address set to the broadcast address of the target’s network. If these packets disperse properly, there will be an echo from every single device on the network, which will create the overwhelming traffic that usually gets systems down. 

b. Advanced In the case of Advanced Smurf Attacks, the echo answers to the ICMP requests can configure their sources so that they respond to third party victims. In this way, hackers can reach various, bigger targets at once. 

Let’s see exactly how Smurf Attack works:A Smurf Attack consists of 5 stages: 

a. Firstly, a fake Echo request containing a spoofed source IP is generated through the Smurf malware. The spoofed IP is actually the target server address. 
b. Secondly, an intermediate IP broadcast network is used to send the request.
c. Afterwards, the request is transmitted to every network host on the network. 
d. During the penultimate stage of a Smurf Attack, each host sends an ICMP response to the spoofed source address. 
e. In the last stage, the target server is brought down if there are enough ICMP responses forwarded.

Moreover, as Hang Chau mentions in his paper, Defense against DoS/DDoS Attacks, “Smurf Attack uses bandwidth consumption to disable a victim system’s network resources. It accomplishes the consumption using amplification of the attacker’s bandwidth. If the amplifying network has 100 machines, the signal can be amplified 100 times, so the attacker with relatively low bandwidth (such as the 56K modem) can flood and disable a victim system with much higher bandwidth (such as the T1 connection). “
...

Continue Reading