DoS, Smurf, and Fraggle Attacks

Posted by in (ISC)2, CISSP, CompTIA, Security+, SSCP | 4 comments

DoS, Smurf, and Fraggle Attacks

Denial of service (DoS) attacks such as smurf and fraggle attacks are important to understand when studying for any security certification including Security+, SSCP, or CISSP. Smurf and fraggle attacks are similar but they have subtle differences.

DoS Attack

A DoS attack comes from a single entity and is intended to make a computer’s resources or services unavailable to users. DoS attacks against a server prevent the server from responding to legitimate requests from users. A distributed DoS (DDoS) attack comes from multiple attackers at the same time.


Pass the Security+ exam the first time you take it.
CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide


Smurf Attack

A smurf attack uses Internet Control Management Protocol (ICMP) to send a broadcast ping with a spoofed source address. It’s easier to understand this by looking at one step at a time.

  • Normal ping. A regular ping sends one or more ICMP echo requests to a system and the system responds with one or more ICMP echo replies. This provides verification the remote system is operational. A regular ping uses unicast. In other words, the ICMP packet is addressed to one system from one system.
  • Broadcast ping. A broadcast ping is not normal. It sends the ICMP echo request to a broadcast address sending it to virtually all systems on the network. Each system will then respond to the system that sent it flooding this system with ICMP echo replies.
  • Spoofed source broadcast ping. The smurf attack spoofs the source address with the address of the victim, and then sends it out as a broadcast ping. Each system on the network will then respond, and flood the victim with echo replies.

There’s an important point to remember though. Routers do not pass broadcast packets. This was actually a change in RFC 2644 released in 1999 in direct response to smurf attacks and the use of networks as smurf amplifiers. RFC 2644 is an update to RFC 1812 which stated that a router must default to forwarding directed broadcasts. Routers today comply with RFC 2644 so smurf attacks are limited to a broadcast domain. They will not go beyond a router.

With this in mind, it would be rare to see a smurf attack. However, that doesn’t mean it won’t be tested.

Note: Many firewalls block ICMP packets to prevent any type of attack using ICMP. If a ping succeeds, it verifies that the system is operational. However, if a ping fails it doesn’t prove that the system is not operational. ICMP may be blocked preventing the ping.

Security+ Full Access Package

Get Certified Get Ahead Security+

Pass the First Time!

Up-to-date Content

New multiple-choice and performance-based questions added regularly

Pass the first time with quality practice test questions, performance-based questions, flashcards, and audio.

Buy The Full Access Study Package Today

60 Days Access For Only $55.98

Need more time? You can easily renew for another 60 days at a significantly reduced price.

All materials are available online shortly after making your payment.

Get the Security+ Full Access Study Package Here

Our online Security+ study materials are the perfect complement to the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide. They can also be used to help ensure you're ready no matter what study guide you're using.

This exam is expensive.

Make sure you're ready before exam day. 

Here's what you'll get:
  • All of the multiple-choice questions from the best-selling CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide. See a demo here. All questions have full explanations so you'll know why the correct answers are correct and why the incorrect answers are incorrect.
  • Over 35 new multiple-choice questions we've added after publishing the study guide.
  • Over 70 performance-based questions. See a demo here.
  • All of the flashcards from the study guide. View them in any Web browser.
  • All of the audio from the study guide. Listen to a sample here.
  • A subnetting mini-tutorial to help you answer key question types in the Security+ exam.
  • Access to a free discount code for 10% off your Security+ voucher. Save $31.10 off the US retail cost for this voucher.

Buy The Full Access Study Package Today

60 Days Access For Only $55.98

All materials are available online shortly after making your payment.

Get the Security+ Full Access Study Package Here


Studying SSCP?
This book covers the new objectives effective Feb 1, 2012.
SSCP Systems Security Certified Practitioner All-in-One Exam Guide


Fraggle Attack

Fraggle attacks are similar to smurf attacks but instead of using ICMP, they use UDP ports 7 and 19.

As described earlier, the ping command uses ICMP and it is used to check if a system is operational. Tools are available that use UDP instead of ICMP and instead of checking to see if a system is operational, they check to see if the system is listening on a specific port. This is commonly done with many different types of vulnerability scanners used by both attackers and security administrators.

Chargen (character generator) is an older protocol described in RFC 864 (dated May 1983). A system listens on either TCP or UDP port 19 (known as the chargen port) for chargen requests. When a connection is established to this port, the system would respond with a constant stream of characters to the original system. Typically the original system would use TCP or UDP port 7 (known as the echo port) but this isn’t required. When the original system begins receiving the characters, it knows the target system is operational, and closes the connection.

In a fraggle attack, a spoofed broadcast packet is sent to port 19. The spoofed address is the address of the victim. Since it is broadcast, it goes to every system on the network. If port 19 is open and the character generator service is running on these systems, they will send a stream of characters to the victim.

Realistically, systems today will not have port 7 open or the chargen service running on port 19. Additionally, routers do not pass broadcasts so any attacks are limited to a single network. Said another way, it is very unlikely you will ever see a fraggle attack today.


Looking for quality Practice Test Questions for the SY0-401 Security+ exam?
CompTIA Security+: Get Certified Get Ahead- SY0-401 Practice Test Questions


Basic Protection

In addition to ensuring that routers are configured in compliance with RFC 2644 and do not pass broadcasts, there are some other basic steps that protect you from these types of attacks:

  • Disable unnecessary services and protocols. If a service or protocol is not needed on a system, it should not be enabled. I cannot think of a system in use today that would need the chargen service so it should be disabled if it is even available on the system.
  • Close unneeded ports. If a port is not needed, it should be closed on both network-based and host-based firewalls. With the port closed, all traffic is blocked and attacks are stopped.
  • Use ingress filters on firewalls. Don’t allow traffic into a network that shouldn’t be there. A common ingress filter on a boundary firewall (between the Internet and an internal network), blocks all traffic coming from the Internet with a spoofed private IP address.

Master Security+ Performance Based Questions Video

Security+ Practice Test Questions

SYO-501 Practice Test Questions Now Available

SYO-401 Practice Test Questions

Over 440 realistic Security+ practice test questions

All questions include explanations so you'll know why the correct answers are correct,

and why the incorrect answers are incorrect.

Pass the Security+ Exam

the First Time You Take It

Multiple quiz formats to let you use these questions based on the way you learn.
  • Learn mode - randomized. View each of the questions in random order. Learn mode allows you to keep selecting answers until you select the correct answer. Once you select the correct answer, you'll see the explanation. Click here to see how learn mode works.
  • Learn mode - not randomized. View each of the questions in the same order. Use this if you want to make sure that you see all of the questions. Learn mode allows you to keep selecting answers until you select the correct answer. Once you select the correct answer, you'll see the explanation. Click here to see how learn mode works.
  • Test mode - randomized. View each of the questions in random order. In test mode, you can only see the correct answers and explanations after you complete the test. Click here to see how test mode works.
  • Test mode - not randomized. View each of the questions in the same order. In test mode, you can only see the correct answers and explanations after you complete the test. Click here to see how test mode works.
  • Test mode - 100 random questions. View 100 random questions from the full test bank similar to how the Security+ exam has a potential maximum of 100 multiple choice questions. In test mode, you can only see the correct answers and explanations after you complete the test. Click here to see how test mode works.

Get the full bank of Security+ (SYO-401) Practice Test Questions Here

 SYO-401 Practice Test Questions


INCLUDES QUESTIONS TO HELP YOU PREPARE

FOR THE NEW PERFORMANCE BASED QUESTIONS 

Bonus - Performance Based Questions

Additional Security+ questions to help you prepare for the new performance based questions. These are included with the full bank of Security+ practice test questions and are divided into different sections. For example, you'll have access to the following links:

- Performance Based Question - Set 1

You'll see a graphic explaining what you might be required to do on the actual exam to match different types of security to mobile devices and servers in a data center. You'll then have two questions that test your knowledge and ability to correctly answer the questions. This question also includes a link to a graphic showing the end solution for the overall performance based question simulation.

- Performance Based Question - Set 2

You'll see a graphic explaining what you might be required to do on the actual exam to match different types of attacks with the name of the attack type. You'll then have five questions that test your knowledge and ability to correctly answer the questions. This question also includes a link to a graphic showing the end solution for the overall performance based question simulation.

- Performance Based Question - Set 3

You'll see a graphic showing a network with computers and servers separated by a firewall. The firewall is used to control traffic between the computers and users using rules within an access control list (ACL).  You'll have three questions that test your knowledge and ability to correctly identify the relevant components of the rule. The incorrect answers and explanation provide you with insight into how to correctly answer this type of question on the actual exam.

- Performance Based Question - Set 4

You'll see a graphic explaining what you might be required to do on the actual exam related to what a forensic analyst would do during an investigation. You'll then have two questions that test your knowledge and ability to correctly answer the questions. This question also includes a link to a graphic showing the end solution for the overall performance based question simulation.

- Performance Based Question - Set 5

You'll see a graphic explaining what you might be required to do on the actual exam to match protocols and ports. You'll then have seven questions that test your knowledge and ability to correctly answer the questions. This question also includes a link to a graphic showing the end solution for the overall performance based question simulation.

- Performance Based Question - Set 6

You'll see a list of security controls along with a graphic showing devices and locations within an organization, along with instructions on what you might be required to do on the actual exam to match the controls with the devices and locations. You'll then have four questions that test your knowledge and ability to correctly answer the questions. This question also includes a link to a graphic showing the end solution for the overall performance based question simulation.

- Performance Based Question - Set 7

You'll see a list of authentication methods and authentication factors along with instructions on what you might be required to do on the actual exam to match the authentication methods with the authentication factors. You'll then have six questions that test your knowledge and ability to correctly answer the questions. This set also includes a link to a graphic showing the end solution for the overall performance based question simulation.

- Performance Based Question - Set 8

You'll see a graphic explaining what you might be required to do on the actual exam to match different types of attacks with the name of the attack type. You'll then have five questions that test your knowledge and ability to correctly answer the questions. This is similar to Set 2 but expands on the possibilities. The set also includes a link to a page showing the end solution for the overall performance based question simulation.

New - Performance Based Question - Set 9

New questions recently added using a different testing engine. See a demo here. This set includes drag and drop and matching questions on ports.

New - Performance Based Question - Set 10

A random set of 20 performance-based questions using drag and drop, matching, sorting, and fill in-the blank. This set includes performance-based questions on RAID.

Get the full bank of Security+ (SYO-401) Practice Test Questions Here

Get the full bank of Security+ Practice Test Questions

Click here if you're looking for SYO-501 Practice Test Questions

Simulated Performance-based Questions

Bonus - Performance Based Questions

Simulated performance-based questions included with all

packages that include practice test questions.

Additional Security+ questions to help you prepare for the new performance based questions. These are included with the full bank of Security+ practice test questions and are divided into different sections. For example, you'll have access to the following links:

- Performance Based Question - Set 1

You'll see a graphic explaining what you might be required to do on the actual exam to match different types of security to mobile devices and servers in a data center. You'll then have two questions that test your knowledge and ability to correctly answer the questions. This question also includes a link to a graphic showing the end solution for the overall performance based question simulation.

- Performance Based Question - Set 2

You'll see a graphic explaining what you might be required to do on the actual exam to match different types of attacks with the name of the attack type. You'll then have five questions that test your knowledge and ability to correctly answer the questions. This question also includes a link to a graphic showing the end solution for the overall performance based question simulation.

- Performance Based Question - Set 3

You'll see a graphic showing a network with computers and servers separated by a firewall. The firewall is used to control traffic between the computers and users using rules within an access control list (ACL).  You'll have three questions that test your knowledge and ability to correctly identify the relevant components of the rule. The incorrect answers and explanation provide you with insight into how to correctly answer this type of question on the actual exam.

- Performance Based Question - Set 4

You'll see a graphic explaining what you might be required to do on the actual exam related to what a forensic analyst would do during an investigation. You'll then have two questions that test your knowledge and ability to correctly answer the questions. This question also includes a link to a graphic showing the end solution for the overall performance based question simulation.

- Performance Based Question - Set 5

You'll see a graphic explaining what you might be required to do on the actual exam to match protocols and ports. You'll then have seven questions that test your knowledge and ability to correctly answer the questions. This question also includes a link to a graphic showing the end solution for the overall performance based question simulation.

- Performance Based Question - Set 6

You'll see a list of security controls along with a graphic showing devices and locations within an organization, along with instructions on what you might be required to do on the actual exam to match the controls with the devices and locations. You'll then have four questions that test your knowledge and ability to correctly answer the questions. This question also includes a link to a graphic showing the end solution for the overall performance based question simulation.

- Performance Based Question - Set 7

You'll see a list of authentication methods and authentication factors along with instructions on what you might be required to do on the actual exam to match the authentication methods with the authentication factors. You'll then have six questions that test your knowledge and ability to correctly answer the questions. This set also includes a link to a graphic showing the end solution for the overall performance based question simulation.

- Performance Based Question - Set 8

You'll see a graphic explaining what you might be required to do on the actual exam to match different types of attacks with the name of the attack type. You'll then have five questions that test your knowledge and ability to correctly answer the questions. This is similar to Set 2 but expands on the possibilities. The set also includes a link to a page showing the end solution for the overall performance based question simulation.

New - Performance Based Question - Set 9

New questions recently added using a different testing engine. See a demo here. This set includes drag and drop and matching questions on ports.

New - Performance Based Question - Set 10

A random set of 20 performance-based questions using drag and drop, matching, sorting, and fill in-the blank. This set includes performance-based questions on RAID.

Get the full bank of Security+ Practice Test Questions Here

Simulated performance-based questions included with

all packages that include practice test questions.

Summary

In summary, DoS attacks such as smurf and fraggle attacks attempt to prevent a system from responding to legitimate requests. A smurf attack sends a broadcast ping with a spoofed IP address (the IP address of the victim), and ping uses ICMP. A fraggle attack uses UDP ports 7 and 19 instead of ICMP, and sends broadcast UDP traffic with a spoofed IP address (the IP address of the victim).

4 Comments

  1. Nice clear description – thanks.

    Can I just clarify though – in the summary, should “legitimate attacks” actually read “legitimate requests”?

    Thanks for the article.

    TJ

    • Thanks for the feedback. You’re correct and I changed it.

  2. You have listed ” In a fraggle attack, a spoofed broadcast packet is sent to port 17. .. . ” Above you have told that “UDP port 19 is chargen port ” … So broadcast should be sent to port 19 correct !! .

    • Thanks for the feedback. You are correct that port 17 is incorrect and it should be port 19. I corrected it in the post.

      Thanks again.

Leave a Comment

CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide

Subscribe To Our Newsletter

Join our mailing list and get a free excerpt of the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide.  This excerpt includes the introduction and Chapter 1.

You have Successfully Subscribed!

Get Certified Get Ahead is a participant in the Amazon Services LLC Associates Program,
an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.

Copyright © 2015 Get Certified Get Ahead. All Rights Reserved.