Figure 311 Smurf Attack

At the bottom of Figure 3-11 you can see the attacker sending an ICMP echo request packet to the broadcast address of the bounce network. The bounce network is not the actual attack target, though it often experiences an indirect denial of service effect as a result. The ICMP packet has a spoofed source address from a device on the victim network (typically a router interface). The smurf attack is a type of amplification attack because when the single spoofed broadcast ping arrives at the bounce network, each host on that network responds with a unique ping packet to the victim of the attack. Consider an attacker that is able to generate a 768 kilobits per second (kbps) stream of broadcast ping packets to a bounce network with 100 hosts. This will turn into a 76.8 megabits per second (Mbps) stream when the return traffic is sent to the victim network. The larger the bounce network, the larger the amplification.

It is important to note that the router configuration command no ip directed-broadcast prevents your network from being the source of a smurf attack, not the victim of one. If you are the victim, you see large quantities of unicast ICMP echo reply messages, which must be filtered with a technology such as Committed Access Rate (CAR). More details about stopping smurf attacks and other attacks with a denial of service result can be found in the "DoS Design Considerations" section of Chapter 6.

100 SEO Tips

100 SEO Tips

100 SEO Tips EVERY SEO Enthusiast Should Know. This Report 100 SEO Tips will help you to Utilize These Tips to Dominate The Search Engine Today.

Get My Free Ebook


Post a comment