Search /
Advanced search  |  Help  |  Site map
Click for Layer 8! No, really, click NOW!
Networking for Small Business
Where's my gigabit Internet, anyway?
Americans cool with lab-grown organs, but not designer babies
IE6: Retired but not dead yet
Enterprise who? Google says little about Apps, business cloud services in Q1 report
DDoS Attackers Change Techniques To Wallop Sites
Can we talk? Internet of Things vendors face a communications 'mess'
AMD's profitability streak ends at two quarters
Michaels says breach at its stores affected nearly 3M payment cards
Exclusive: Google's Project Loon tests move to LTE band in Nevada
H-1B loophole may help California utility offshore IT jobs
How a cyber cop patrols the underworld of e-commerce
For Red Hat, it's RHEL and then…?
Will the Internet of Things Become the Internet of Broken Things?
Kill switches coming to iPhone, Android, Windows devices in 2015
Israeli start-up, working with GE, out to detect Stuxnet-like attacks
Galaxy S5 deep-dive review: Long on hype, short on delivery
Google revenue jumps 19 percent but still disappoints
Windows XP's retirement turns into major security project for Chinese firm
Teen arrested in Heartbleed attack against Canadian tax site
Still deploying 11n Wi-Fi?  You might want to think again
Collaboration 2.0: Old meets new
9 Things You Need to Know Before You Store Data in the Cloud
Can Heartbleed be used in DDoS attacks?
Secure browsers offer alternatives to Chrome, IE and Firefox
Linksys WRT1900AC Wi-Fi router: Faster than anything we've tested

Attacked by smurf

Today's breaking news
Send to a friendFeedback

Ever been smurfed? Nope, it has nothing to do with those repulsive blue cartoon elves, and it is not something that happens to you personally. Rather, a smurf attack is something that can bring your network to its virtual knees.

A smurf attack is a method of denying service on an IPconnection. While a smurf attack can be used to completely disable a connection, it can also be used far more surreptitiously to just reduce bandwidth. In the latter case, you could be under attack for months without really noticing - you would just think your connection was slow.

Sound bad? It gets worse: Finding who is mounting a smurf attack is very difficult, and no matter what the level of attack, being smurfed will cost you money and time.

The technology used in the attacks is ICMP, the Internet Control Message Protocol (see RFC792 at rfc792.txt). ICMP packets are carried within IP datagrams. The protocol's main function is to return error messages to the source host when datagrams encounter problems in transit.

The most familiar use of ICMP is the ping utility, which tests the connection between two IP nodes. Ping involves sending an ICMP echo request to a destination node and measuring how long it takes to get a response.

But hackers can use ICMP for denial-of-service hacks or smurf attacks, which were first encountered last year. Smurf attacks are clever: They use whole networks of computers to direct an overwhelming amount of traffic to a victim's machine.

Launching a smurf attack requires finding a network that is attached to the Internet by a router that will forward ICMP requests. A ping request with a forged source address is then sent to a broadcast address on that router, which forwards it to all machines on the attached network. Those devices then respond to the supposed source.

If enough machines get the ping request, the resulting traffic can overwhelm the target by eating up processing cycles or saturating the target's Internet connection. And because the source address is forged, the attacker is very hard to find.

For more background on the problem, see the Computer Emergency Response Team Coordination Center Advisory CA-98.01, "Smurf IP Denial-of-Service Attacks," at

How dangerous is a smurf attack, and how much of a load could such an attack generate? In an article at, Craig Huegen says an attack may go down like this:

"An attacker sends, say, a 768K bit/sec stream of ICMP echo (ping) packets, with the spoofed source address of the victim, to the broadcast address of a 'bounce site.' These ping packets hit the bounce site's broadcast network of 100 hosts; each of them takes the packet and responds to it, creating 100 ping replies outbound. If you multiply the bandwidth, you'll see that 76.8M bit/sec is used outbound from the bounce site after the traffic is multiplied."

Today, smurf attacks are plaguing ISPs and some large corporations. Check out for a test to see if a given network can act as an amplifier and for a list of the worst offenders (networks that can be used to generate a lot of smurf traffic).

The offender list makes interesting reading, as it includes networks run by the likes of the Internet Assigned Numbers Authority, Hewlett-Packard, IBM and a lot of ISPs that one would have hoped knew better.

Fixing the problem is straightforward: Turn off IP directed broadcast for all interfaces on all routing and switching devices. However, this fix is apparently dependent on the equipment in use. See Craig Huegen's smurf page referenced above, and check your router vendor's Web sites. Also talk to your ISP and make sure it knows about the problem and has planned to deal with it.

No smurfs please to


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.