SCHOOL OF COMPUTER SCIENCES

CST 334: Network Monitoring And Security

Semester 1, Academic Session : 2014/2015

Assignment 1

Title

: Network Attack Using Smurf (Distributed

Denial of Service)

Prepared for : Dr. Aman bin Jantan

Name

: Aizattul Anis Binti Sobri

Metric no

: 114998

Email

: aanis.ucom12@student.usm.my

Contents
Abstract ......................................................................................................................................................... 2
Introduction .................................................................................................................................................. 3
Analysis ......................................................................................................................................................... 4
Attack using Internet Control Message Protocol ...................................................................................... 4
IP broadcast address ................................................................................................................................. 5
Discussion...................................................................................................................................................... 6
Conclusion ..................................................................................................................................................... 8
Reference ...................................................................................................................................................... 9

Abstract
Distributed Denial of Service (DDoS) can cause devastating impact on computer system and
network. One of DDoS flooding attack is Smurf attack. Smurf attack involves Internet Cotrol
MessageProtocol (ICMP). When conducting a Smurf attack, attacker will use IP address
spoofing to spoof victims IP address. This can cause a confusion on targeted network and a
massive flood of traffic will be infected into victims betwork and cause it to be unoperational.
Smurf attack using ping on the operating system to check whether the network is operational or
not.
When the ping tool is done, an ICMP echo request packet is transmitted to the destination
computer. If the destination computer has the TCP packet, it replies to confirm the ping request.
In the event of a Smurf denial-of-service attack, the ping's packet return IP address is forged with
the IP of the targeted computer. The ping is issued to the entire IP broadcast address. This
technique causes every computer to respond to the bogus ping packets and reply to the targeted
computer, which floods it. This technique is called a Smurf attack because the DoS tool that is
used to perform the attack is called Smurf. Oneway to reduce risk of this approach is to disable
IP-directed broadcast, which is frequently not used or required. Some operating systems are
configured to prevent the computer from responding to ICMP packets.

Introduction
A Denial of service (DoS) is an attack made on an online service to becoming
unavailable by congesting the system traffic. It is designed to render a computer and cause the
user of a targeted system incapable to use the services provided. Bandwidth and connectivity of
computer network are the most common to be attacked by DoS. The network is flooded with a
high volume of traffic in attacking bandwidth while connectivity attacks flood a computer with a
high volume of the connection request.
Distributed Denial of Service (DDoS), a type of DoS attack, usually infected with Trojan
is used to attack another computer using many computers. It will launch a coordinated DoS
attack against one or more target system (distribute the attack). Both the end targeted system are
the victims of a DDoS attack. All system maliciously used and controlled by the hacker in
distributed attack.
In DoS attack, one computer with internet connection is used to flood the server with
packets, which will overload the targeted servers bandwidth. Meanwhile in DDoS attack, many
devices and multiple internet connection are used and distributed globally (known as botnet).
Compared to DoS attack, DDoS attack is much harder to deflect because the is no single attacker
to defend from as the targeted resources will be flooded with request from multiple sources.
A Smurf attack is a form of DDoS. This program exploiting the vulnerabilities of the
Internet Protocol (IP) and Internet Control Message Protocols (ICMP). The attacker uses the
unprotected network to amplify attack load and direct it to the victim computer. The Smurf
program uses spoofing technique to originate a network packet from another address. This kind
of attack not only cause problems to targeted system, but will give a serious negative effect on
network.
3

Analysis
On Smurf attack, there are two main components to attack the network, which are the Internet
Control Message Protocol (ICMP) is forged echo request packet and the direction of packet to
Internet Protocol (IP) broadcast address.

Attack using Internet Control Message Protocol

The Internet Control Message Protocol (ICMP) is used for errors handling and control messages
exchange. It is also can be used to determine the response of a machine connected to internet. In
order to perform this, a machine received an echo request packet from ICMP. The machine will
return an ICMP echo reply packet. The ICMP echo request contained the spoofed address of a
victim network as its source. When it reaches the intermediary network, it is converted to a
Layer 2 broadcast and sent to the host on the intermediary network. The host on the intermediary
network then send ICMP replies to the victim network.

A broadcast ping is sent with a spoofed source address. There are 3 types of ping :1- Normal ping
A regular ping sends one or more ICMP echo request to a system. The system responds
with one or more ICMP echo replies. this is to confirm whether the system is functioning.
The ICMP packet is addressed to one system from one system.
2- Broadcast ping
A broadcast ping sends the ICMP echo request to a broadcast address. The broadcast
address will send it to virtually all systems on the network. When the system on the
network respond to the request, it will be flooding the system with ICMP echo reply.
3- Spoofed source broadcast ping
The source address with victims address is spoofed during the attack. It is then sent out
as broadcast ping. Victim will be flooded with echo replies if the system respond to the
request.

IP broadcast address
A packet is directed to an individual machine or broadcast to an entire network on IP
network. When an IP broadcast address received a packet from a machine on local network,
the packet is distributed to all machines on the network. When a packet is sent to IP
broadcast address from machine outside of local network, it is broadcast to all machine on
the targeted network according to the route of traffic ( router do not pass broadcast packet).

Discussion

There are three parties in these attack :1- The attacker

2- The intermediary
3- The victim
The attacker creates the packets without using their own machines IP address as the source
address. They create forged packet that contains the spoofed source address of the attackers
targeted victim. When all the machines at the intermediary side respond to the ICMP echo
request, they send replies to the victims machine. The network is congested with traffic and
make it unusable.
Automated tools is developed by the attacker to enable them to send these attacks to multiple
intermediaries at the same time, causing the intermediaries to direct their responses to the same
victim.
A lot of firewalls block ICMP packet in order to prevent any type of attack using ICMP. The
operational of a system can be verified if the ping succeed. The Smurf attack is not really
sophisticated. It is just a something to do with routing and granting the access to IP to take the
control. This attack relies on the intermediary to broadcast ICMP echo request to host on a target
subnet. Only when the ICMP request packet arrives on target subnet, it is converted to the Layer
2 broadcast.

Being an intermediary in Smurf attack can be avoided by making sure forwarding of directed
broadcast is disabled on Foundry device. User can configure the Foundry device to drop ICMP
packet when excessive number are encountered.the easiest way to failed a Smurf attack is by
setting a threshold value for ICMP packet and drop them when the threshold exceeded. This will
prevent the packet from hitting the web server and internal network. Monitor the packets which
do not originate from network. Do not simply accept the request. It is important to filter out
packets which do not origin from internal network. For Cisco router, user CAR to specify the
maximum amout of bandwidth that can be used by echo reply packets.

Conclusion
It is not impossible to accidentally download the Smurf Trojan from an unverified website or via
an infected email link (spam). The program will remain dormant on a computer until activated
by a remote user (attacker). Many Smurf come along with rootkits,allowing the attacker to create
backdoors. The easiest way to comply with Smurf attack is to turn off IP broadcast addressing on
every network router. If the IP broadcast is turned off, it is impossible for the attacker to
overload the network.
Both intermediary and victim of this attack may suffer degraded network performance both on
their internal network or on their internet connection.

Reference
http://www.techrepublic.com/article/understanding-a-smurf-attack-is-the-first-step-toward-thwartingone/
http://blogs.getcertifiedgetahead.com/dos-smurf-fraggle-attacks/
http://www.cert.org/historical/advisories/CA-1998-01.cfm?
https://www.us-cert.gov/ncas/tips/ST04-015
https://www.nordu.net/articles/smurf.html
https://usa.kaspersky.com/internet-security-center/definitions/smurf-attack
http://www.w3.org/Security/faq/wwwsf6.html
http://www.symantec.com/security_response/glossary/define.jsp?letter=s&word=smurf-dos-attack