Attacked by smurf
Ever been smurfed? Nope, it has nothing to do with those repulsive blue cartoon elves, and it is not something that happens to you personally. Rather, a smurf attack is something that can bring your network to its virtual knees.
A smurf attack is a method of denying service on an IPconnection. While a smurf attack can be used to completely disable a connection, it can also be used far more surreptitiously to just reduce bandwidth. In the latter case, you could be under attack for months without really noticing - you would just think your connection was slow.
Sound bad? It gets worse: Finding who is mounting a smurf attack is very difficult, and no matter what the level of attack, being smurfed will cost you money and time.
The technology used in the attacks is ICMP, the Internet Control Message Protocol (see RFC792 at http://src.doc.ic.ac.uk/computing/internet/rfc/ rfc792.txt). ICMP packets are carried within IP datagrams. The protocol's main function is to return error messages to the source host when datagrams encounter problems in transit.
The most familiar use of ICMP is the ping utility, which tests the connection between two IP nodes. Ping involves sending an ICMP echo request to a destination node and measuring how long it takes to get a response.
But hackers can use ICMP for denial-of-service hacks or smurf attacks, which were first encountered last year. Smurf attacks are clever: They use whole networks of computers to direct an overwhelming amount of traffic to a victim's machine.
Launching a smurf attack requires finding a network that is attached to the Internet by a router that will forward ICMP requests. A ping request with a forged source address is then sent to a broadcast address on that router, which forwards it to all machines on the attached network. Those devices then respond to the supposed source.
If enough machines get the ping request, the resulting traffic can overwhelm the target by eating up processing cycles or saturating the target's Internet connection. And because the source address is forged, the attacker is very hard to find.
For more background on the problem, see the Computer Emergency Response Team Coordination Center Advisory CA-98.01, "Smurf IP Denial-of-Service Attacks," at www.cert.org/advisories/CA-98.01.smurf.html.
How dangerous is a smurf attack, and how much of a load could such an attack generate? In an article at www.quadrunner.com/~chuegen/smurf.txt, Craig Huegen says an attack may go down like this:
"An attacker sends, say, a 768K bit/sec stream of ICMP echo (ping) packets, with the spoofed source address of the victim, to the broadcast address of a 'bounce site.' These ping packets hit the bounce site's broadcast network of 100 hosts; each of them takes the packet and responds to it, creating 100 ping replies outbound. If you multiply the bandwidth, you'll see that 76.8M bit/sec is used outbound from the bounce site after the traffic is multiplied."
Today, smurf attacks are plaguing ISPs and some large corporations. Check out www.netscan.org for a test to see if a given network can act as an amplifier and for a list of the worst offenders (networks that can be used to generate a lot of smurf traffic).
The offender list makes interesting reading, as it includes networks run by the likes of the Internet Assigned Numbers Authority, Hewlett-Packard, IBM and a lot of ISPs that one would have hoped knew better.
Fixing the problem is straightforward: Turn off IP directed broadcast for all interfaces on all routing and switching devices. However, this fix is apparently dependent on the equipment in use. See Craig Huegen's smurf page referenced above, and check your router vendor's Web sites. Also talk to your ISP and make sure it knows about the problem and has planned to deal with it.
No smurfs please to firstname.lastname@example.org.