The Smurf DDoS attack takes its name from the malware used to execute the attack. Smurf malware was created by an adolescent, Dan Moschuk (1997). First, he shared the original software just with his friends, but the smurf.c was crashing Internet Relay Chat (IRC) servers a bit later.
For Dan, this was an achievement. For the world, it was another threat to be worried about.
The Smurf malware proved to work, and that encouraged him to enhance it for being more harmful. And he got it. Years later, he released his Fraggle.c., a UDP version of the Smurf software.
What is a Smurf DDoS attack?
Smurf Distributed Denial of Service (DDoS) attack belongs to the protocol-based type of attacks. Its goal is to shut down computer networks for their resources not to be available for genuine clients.
Smurf DDoS attack is a strike that takes advantage of the Internet Control Message Protocol (ICMP). Through it, many ping data packets with a forged IP address of the target are sent to defined or multiple computers. As a result, those computers will respond to the server. Traffic will increase so that the resources of this server will be over faster than normal. Then, the target will be shut down, and not being available represents money loss for your business.
How does it work?
There are variants, but we will mention the general steps this attack follows.
Everything begins with the Smurf malware replacing the genuine data packets’ IP address with the fake IP address of the target. This first step is meant to direct considerable traffic to the targeted server.
Then, to amplify its might (traffic), data packets go to a broadcast IP address of a router. By doing this, they will be sent to each machine connected to the network.
And finally, as a result of these actions, all devices that got the data packets will respond to the targeted server because of the fake IP address. So you can imagine the number of devices that a large network can include, therefore the increase of traffic this will produce.
The arrival of all these not-requested queries will create a conflict on the server: the more queries, the more difficult it is to handle them. The server can get sluggish due to the abnormal consumption of essential resources like bandwidth. The ping traffic generated through the ICMP echoes can take over the whole bandwidth. As a result, there won’t be enough resources to serve genuine clients’ queries. With the server’s defeat, the criminal objective is reached. The denial of the service will be displayed for users.
Can a Smurf DDoS attack be prevented or mitigated?
Yes, there are actions you can execute to prevent or mitigate a Smurf DDoS attack.
- Get an anti-DDoS solution for your servers.
- Monitoring your traffic in detail to detect strange traffic loads and spikes and to check data packets’ volume and signature is key to preventing an event.
- Be aware of bandwidth behavior. For example, an uncommon fast consumption could be an indicator of a Smurf DDoS attack attempt.
- Get redundancy and a load balancing solution to distribute traffic. Big loads won’t be a threat if they get directed to different servers.
- Configure hosts and routers not to respond to ICMP echo requests.
- Configure the operating system not to allow IP broadcast queries.
- Configure the perimeter of the firewall for blocking pings that come from outside the network.
Don’t underestimate the danger of the Smurf DDoS attack. Consider measures to prevent it or mitigate it before it hits you.