Preventing Smurf Attacks
IntroductionThis brief introduction to the denial-of-service attacks of the SMURF type (named after the program used to instigate the attack) explains what they are and what can be done about them.
In a SMURF attack you can be affected in one of several ways:
Anatomy of a SMURF AttackA SMURF attack (named after the program used to perform the attack) is a method by which an attacker can send a moderate amount of traffic and cause a virtual explosion of traffic at the intended target. The method used is as follows:
Preventing SMURF attacksPROPERLY CONFIGURED NETWORK EQUIPMENT IS THE KEY
The availability of the directed broadcast function is an important element in these attacks. The current Proposed Standard for "Requirements for IP Version 4 Routers" (RFC1812) states that a router must default to forwarding directed broadcasts, that a knob must exist to turn it off, but it must default to the «on» position (see section 18.104.22.168 of RFC1812). However, the current sentiment is that this should no longer be a requirement.
Thus, to prevent your network from being abused as an amplifier network in a SMURF attack, you should turn off the forwarding of directed broadcast on all router ports or take other measures to assure your network cannot be abused in this manner.
Another component which is important in this type of attack is that the attacker has to be able to inject packets into the network with forged IP source addresses. It is possible to enable functions in routers which will prevent the trivial forgery of IP source addresses, and doing so for a local network will prevent SMURF attacks from being launched locally. (Do however note that access lists can have a performance impact, so judicious use of such tools is advised.) This sort of ingress filtering has been documented in RFC2267, and is effective not only for preventing local origination of SMURF attacks, and also makes tracking attacks (or denying origination of attacks) much easier.
Since SMURF attacks use forged source addresses, tracking SMURF attacks back to their source can be a challenge. It has to be done while the attack is ongoing, and requires the swift cooperation of all the network service providers along the path. In practice this has proven to be quite difficult. Instead, what we have done in NORDUnet is to set a rate-limit on the volume of ICMP Echo Reply traffic we allow into NORDUnet. This is so that we can «soften» the effect of an attack originated outside of NORDUnet directed at a host inside NORDUnet.
For more detailed instructions as to how to take precautionary measures see Craig A. Huegen's page describing SMURF attacks. There is also an informal SMURF Amplifier Registry housed by the norwegian ISP PowerTech, which in the form of a «hall of shame» lists active amplifier networks. It might be a good idea to check that your network is not on this list.