Preventing Smurf Attacks

Introduction

This brief introduction to the denial-of-service attacks of the SMURF type (named after the program used to instigate the attack) explains what they are and what can be done about them.

In a SMURF attack you can be affected in one of several ways:

As a victim or target of the attack
As a network which is abused to amplify the attack
As a party harboring the instigator of the attack

SMURF and similar Denial-of-service (DoS) attacks can do serious damage to your network services, be it either as an individual end-user or as an entire institution in that your network or host can be inundated with unwanted and maliciously sent traffic.

Anatomy of a SMURF Attack

A SMURF attack (named after the program used to perform the attack) is a method by which an attacker can send a moderate amount of traffic and cause a virtual explosion of traffic at the intended target. The method used is as follows:

The attacker sends ICMP Echo Request packets where the source IP address has been forged to be that of the target of the attack.
The attacker sends these ICMP datagrams to addresses of remote LANs broadcast addresses, using so-called directed broadcast addresses. These datagrams are thus broadcast out on the LANs by the connected router.
All the hosts which are Ťaliveť on the LAN each pick up a copy of the ICMP Echo Request datagram (as they should), and sends an ICMP Echo Reply datagram back to what they think is the source. If many hosts are Ťaliveť on the LAN, the amplification factor can be considerably (100+ is not uncommon).
The attacker can use largish packets (typically up to ethernet maximum) to increase the Ťeffectivenessť of the attack, and the faster network connection the attacker has, the more damage he can inflict on the target and the target's network.

Not only can the attacker cause problems for the target host, the influx of traffic can in fact be so great as to have a seriously negative effect on the upstream network(s) from the target. In fact, those institutions being abused as amplifier networks can also be similarly affected, in that their network connection can be swamped by the Echo Reply packets destined for the target.

Preventing SMURF attacks

PROPERLY CONFIGURED NETWORK EQUIPMENT IS THE KEY

The availability of the directed broadcast function is an important element in these attacks. The current Proposed Standard for "Requirements for IP Version 4 Routers" (RFC1812) states that a router must default to forwarding directed broadcasts, that a knob must exist to turn it off, but it must default to the Ťonť position (see section 5.3.5.2 of RFC1812). However, the current sentiment is that this should no longer be a requirement.

Thus, to prevent your network from being abused as an amplifier network in a SMURF attack, you should turn off the forwarding of directed broadcast on all router ports or take other measures to assure your network cannot be abused in this manner.

Another component which is important in this type of attack is that the attacker has to be able to inject packets into the network with forged IP source addresses. It is possible to enable functions in routers which will prevent the trivial forgery of IP source addresses, and doing so for a local network will prevent SMURF attacks from being launched locally. (Do however note that access lists can have a performance impact, so judicious use of such tools is advised.) This sort of ingress filtering has been documented in RFC2267, and is effective not only for preventing local origination of SMURF attacks, and also makes tracking attacks (or denying origination of attacks) much easier.

Since SMURF attacks use forged source addresses, tracking SMURF attacks back to their source can be a challenge. It has to be done while the attack is ongoing, and requires the swift cooperation of all the network service providers along the path. In practice this has proven to be quite difficult. Instead, what we have done in NORDUnet is to set a rate-limit on the volume of ICMP Echo Reply traffic we allow into NORDUnet. This is so that we can Ťsoftenť the effect of an attack originated outside of NORDUnet directed at a host inside NORDUnet.

For more detailed instructions as to how to take precautionary measures see Craig A. Huegen's page describing SMURF attacks. There is also an informal SMURF Amplifier Registry housed by the norwegian ISP PowerTech, which in the form of a Ťhall of shameť lists active amplifier networks. It might be a good idea to check that your network is not on this list.

Nordunet Information Service