Need help?

Our experts have had an average response time of 12.14 minutes in September 2021 to fix urgent issues.

We will keep your servers stable, secure, and fast at all times for one fixed price.

Smurf DDoS attack – How to mitigate

by | Jan 26, 2021

These days Smurf DDoS attack is one of the most common forms of cyberattacks that we need to take care of to secure our network.

A Smurf attack is a network layer distributed denial of service (DDoS) attack, named after the DDoS.Smurf malware.

In this, an attacker attempts to flood a targeted server with Internet Control Message Protocol (ICMP) packets.

This initially triggers high traffic on the server and potentially overwhelming the target, rendering it inaccessible.

Here at Bobcares we often get requests to mitigate smurf attacks from our customers as a part of our Server Management Services.

Today let’s see how the steps followed by our support techs to mitigate.


What is a Smurf DDoS attack?

In a smurf attack, the attacker tries to make multiple requests with the spoofed IP address of the targeted device or networks resulting in high traffic on the target device.

Smurf attacks often exploit characteristics of broadcast networks.


How does a Smurf attack work?

1. Initially, a ping (ICMP packets) is used to see if a device is operational, and to track the amount of time it takes for the message to go round trip from the source device to the target and back to the source.

2. Smurf malware builds a spoofed packet that contains the source address set to the real IP address of the targeted victim.

3. This packet is then sent to an IP broadcast address of a router or firewall which will send the request to every host device inside the broadcasting network.

4. This will increase the number of requests from the number of networked devices on the network.

5. All the devices which receive the request responds to the spoofed address of the target with an ICMP Echo Reply packet.

4. The target will end up receiving a huge number of  ICMP Echo Reply packets resulting in denial-of-service to legitimate traffic.


Types of Smurf DDoS Attacks

Following are the two types of Smurf Attacks:

* Basic Attack

A basic smurf attack occurs when we get ICMP request packet flood and high traffic as a result.

The packets contain a source address that is set to the broadcast address of the target’s network.

If the packets disperse correctly, every device that connects to the network on target it will reply to the ICMP request with an echo, resulting in a lot of traffic and possibly crashing the server.

* Advanced Attack

These start very similarly to a basic attack. The difference is that the echo-request will configure its source to respond to a third-party victim.

This third-party victim will then receive the echo request that originates from the targeted subnet.


How can a Smurf attack be mitigated?

1. First we can disable the IP broadcasting addresses at each network router and a firewall is one way to mitigate this attack.

In the older routers broadcasting is enabled by default.

2. After that we will try reconfiguring the operating system to disallow ICMP responses to IP broadcast requests.

3. Reconfiguring the perimeter firewall to disallow pings originating from outside the network.

[Facing Smurf DDoS attack? We are happy to help you!]



To conclude, we saw the measures taken by our Support Engineers to mitigate Smurf DDoS attacks.


Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.


var google_conversion_label = "owonCMyG5nEQ0aD71QM";


Submit a Comment

Your email address will not be published. Required fields are marked *

Privacy Preference Center


Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]


Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid


Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie


These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.