Search /
Advanced search  |  Help  |  Site map
Click for Layer 8! No, really, click NOW!
Networking for Small Business
FCC defends new net neutrality proposal
New iPad rumor rollup for week ending April 23
Dell adds Big Switch to its SDN mix
Google Plus now minus chief Vic Gundotra
Heartbleed prompts joint vendor effort to boost OpenSSL, security
Microsoft Surface Mini seems likely to ship soon
China working on Linux replacement for Windows XP
FCC adds $9 billion to broadband subsidy fund
Raspberry Pi alternatives emerge to fill need for speed
It's now possible to wirelessly charge 40 smartphones from 16 feet away
Ex-FCC commissioner to head CTIA in latest Washington shuffle
Go time traveling with Google Maps
While Heartbleed distracts, hackers hit US universities
Survey respondents shun much-hyped mobile shopping technologies
7 Ways to Advance Your Project Management Career
How Apple's billion dollar sapphire bet will pay off
US to vote on sharp increase in broadband subsidies
iPhone 6 rumor rollup for the week ending April 18
NSA spying revelations have tired out China's Huawei
Arista co-founder may have switch maker by its jewels
Open source pitfalls – and how to avoid them
AT&T's expanded 1 Gbps fiber rollout could go head to head with Google
Verizon: Web apps are the security punching bag of the Internet

Attacked by smurf

Today's breaking news
Send to a friendFeedback

Ever been smurfed? Nope, it has nothing to do with those repulsive blue cartoon elves, and it is not something that happens to you personally. Rather, a smurf attack is something that can bring your network to its virtual knees.

A smurf attack is a method of denying service on an IPconnection. While a smurf attack can be used to completely disable a connection, it can also be used far more surreptitiously to just reduce bandwidth. In the latter case, you could be under attack for months without really noticing - you would just think your connection was slow.

Sound bad? It gets worse: Finding who is mounting a smurf attack is very difficult, and no matter what the level of attack, being smurfed will cost you money and time.

The technology used in the attacks is ICMP, the Internet Control Message Protocol (see RFC792 at rfc792.txt). ICMP packets are carried within IP datagrams. The protocol's main function is to return error messages to the source host when datagrams encounter problems in transit.

The most familiar use of ICMP is the ping utility, which tests the connection between two IP nodes. Ping involves sending an ICMP echo request to a destination node and measuring how long it takes to get a response.

But hackers can use ICMP for denial-of-service hacks or smurf attacks, which were first encountered last year. Smurf attacks are clever: They use whole networks of computers to direct an overwhelming amount of traffic to a victim's machine.

Launching a smurf attack requires finding a network that is attached to the Internet by a router that will forward ICMP requests. A ping request with a forged source address is then sent to a broadcast address on that router, which forwards it to all machines on the attached network. Those devices then respond to the supposed source.

If enough machines get the ping request, the resulting traffic can overwhelm the target by eating up processing cycles or saturating the target's Internet connection. And because the source address is forged, the attacker is very hard to find.

For more background on the problem, see the Computer Emergency Response Team Coordination Center Advisory CA-98.01, "Smurf IP Denial-of-Service Attacks," at

How dangerous is a smurf attack, and how much of a load could such an attack generate? In an article at, Craig Huegen says an attack may go down like this:

"An attacker sends, say, a 768K bit/sec stream of ICMP echo (ping) packets, with the spoofed source address of the victim, to the broadcast address of a 'bounce site.' These ping packets hit the bounce site's broadcast network of 100 hosts; each of them takes the packet and responds to it, creating 100 ping replies outbound. If you multiply the bandwidth, you'll see that 76.8M bit/sec is used outbound from the bounce site after the traffic is multiplied."

Today, smurf attacks are plaguing ISPs and some large corporations. Check out for a test to see if a given network can act as an amplifier and for a list of the worst offenders (networks that can be used to generate a lot of smurf traffic).

The offender list makes interesting reading, as it includes networks run by the likes of the Internet Assigned Numbers Authority, Hewlett-Packard, IBM and a lot of ISPs that one would have hoped knew better.

Fixing the problem is straightforward: Turn off IP directed broadcast for all interfaces on all routing and switching devices. However, this fix is apparently dependent on the equipment in use. See Craig Huegen's smurf page referenced above, and check your router vendor's Web sites. Also talk to your ISP and make sure it knows about the problem and has planned to deal with it.

No smurfs please to


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.