These days Smurf DDoS attack is one of the most common forms of cyberattacks that we need to take care of to secure our network.
A Smurf attack is a network layer distributed denial of service (DDoS) attack, named after the DDoS.Smurf malware.
In this, an attacker attempts to flood a targeted server with Internet Control Message Protocol (ICMP) packets.
This initially triggers high traffic on the server and potentially overwhelming the target, rendering it inaccessible.
Here at Bobcares we often get requests to mitigate smurf attacks from our customers as a part of our Server Management Services.
Today let’s see how the steps followed by our support techs to mitigate.
What is a Smurf DDoS attack?
In a smurf attack, the attacker tries to make multiple requests with the spoofed IP address of the targeted device or networks resulting in high traffic on the target device.
Smurf attacks often exploit characteristics of broadcast networks.
How does a Smurf attack work?
1. Initially, a ping (ICMP packets) is used to see if a device is operational, and to track the amount of time it takes for the message to go round trip from the source device to the target and back to the source.
2. Smurf malware builds a spoofed packet that contains the source address set to the real IP address of the targeted victim.
3. This packet is then sent to an IP broadcast address of a router or firewall which will send the request to every host device inside the broadcasting network.
4. This will increase the number of requests from the number of networked devices on the network.
5. All the devices which receive the request responds to the spoofed address of the target with an ICMP Echo Reply packet.
4. The target will end up receiving a huge number of ICMP Echo Reply packets resulting in denial-of-service to legitimate traffic.
Types of Smurf DDoS Attacks
Following are the two types of Smurf Attacks:
* Basic Attack
A basic smurf attack occurs when we get ICMP request packet flood and high traffic as a result.
The packets contain a source address that is set to the broadcast address of the target’s network.
If the packets disperse correctly, every device that connects to the network on target it will reply to the ICMP request with an echo, resulting in a lot of traffic and possibly crashing the server.
* Advanced Attack
These start very similarly to a basic attack. The difference is that the echo-request will configure its source to respond to a third-party victim.
This third-party victim will then receive the echo request that originates from the targeted subnet.
How can a Smurf attack be mitigated?
1. First we can disable the IP broadcasting addresses at each network router and a firewall is one way to mitigate this attack.
In the older routers broadcasting is enabled by default.
2. After that we will try reconfiguring the operating system to disallow ICMP responses to IP broadcast requests.
3. Reconfiguring the perimeter firewall to disallow pings originating from outside the network.
[Facing Smurf DDoS attack? We are happy to help you!]
To conclude, we saw the measures taken by our Support Engineers to mitigate Smurf DDoS attacks.