If you’re plan to take the Security+, SSCP, or CISSP exam, you should know about many of the attack types such as the smurf attack. As an example, Objective “3.2 Analyze and differentiate among types of attacks” for the CompTIA Security+ exam lists several common types of attacks including the smurf attack.
A smurf attack spoofs the source address of a broadcast ping packet to flood a victim with ping replies. That’s a complex sentence, so it’s worthwhile breaking this down.
A Ping is Normally Unicast
A ping is normally a unicast message sent from one computer to one computer. It sends ICMP echo requests to one computer, and the receiving computer responds with ICMP echo responses. Figure 1 shows how this works. Computer 1 is sending out a unicast ping to computer 3 and computer 3 responds with ICMP replies.
If you receive the responses you know that the other computer is operational.
Note: Because ICMP is used in many types of attacks, many firewalls block ICMP echo requests. If you don’t receive ping responses back it doesn’t necessarily mean the other computer is not operational. It could be because the ping is being blocked by a firewall.
On Windows systems, ping sends out four ICMP requests and gets back four replies. On some other operating systems, ping continues until stopped. You can add the -t switch to ping on Windows systems causing ping requests to continue until stopped.
CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide
A Smurf Attack Sends the Ping Out as a Broadcast
Instead of using a unicast message, a smurf attack sends out the ping request as a broadcast. In a broadcast, one computer sends the packet to all other computers in the subnet. These computers then reply to the single computer that sent the broadcast ping as shown in Figure 2. Computer 1 is sending out a broadcast ping to all the computers on the subnet and each one of them are now responding, flooding the computer with ping replies.
If computer 1 is the attacker, the results of Figure 2 aren’t very beneficial. If something isn’t changed, the attacker gets attacked.
 | Pass the First Time! |
Up-to-date Content
New multiple-choice and performance-based questions added regularly
Pass the first time with quality practice test questions, performance-based questions, flashcards, and audio.Buy The Full Access Study Package Today
60 Days Access
Need more time? You can easily renew for another 60 days at a significantly reduced price.
All materials are available online shortly after making your payment.
Get the Security+ Full Access Study Package Here
Our online Security+ study materials are the perfect complement to the CompTIA Security+: Get Certified Get Ahead: SY0-601 Study Guide. They can also be used to help ensure you’re ready no matter what study guide you’re using.
This exam is expensive.
Make sure you’re ready before exam day.
Here’s what you’ll get:- All of the multiple-choice questions from the best-selling CompTIA Security+: Get Certified Get Ahead: SY0-601 Study Guide. See a demo here. All questions have full explanations so you’ll know why the correct answers are correct and why the incorrect answers are incorrect.
- Realistic SY0-601 Security+ Practice Test Questions
- Performance-based questions.
- All of the flashcards from the study guide. View them in any Web browser. See demo here
- All of the audio from the study guide.
- Access to a free discount code for 10% off your Security+ voucher.
Buy The Full Access Study Package Today
60 Days Access
All materials are available online shortly after making your payment.
The Smurf Attack Spoofs the Source IP
If the source IP address isn’t changed, the computer sending out the broadcast ping will get flooded with the ICMP replies. Instead, the smurf attack substitutes the source IP with the IP address of the victim, and the victim gets flooded with these ICMP replies. Figure 3 shows how computer 1 can send out the smurf attack using computer 2’s IP address as the source IP address. All the computers on the subnet then flood computer 2 with ICMP replies.
| Pass the First Time! |
Up-to-date Content
New multiple-choice and performance-based questions added regularly
Pass the first time with quality practice test questions, performance-based questions, flashcards, and audio.Buy The Full Access Study Package Today
60 Days Access
Need more time? You can easily renew for another 60 days at a significantly reduced price.
All materials are available online shortly after making your payment.
Get the Security+ Full Access Study Package Here
Our online Security+ study materials are the perfect complement to the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide. They can also be used to help ensure you’re ready no matter what study guide you’re using.
This exam is expensive.
Make sure you’re ready before exam day.
Here’s what you’ll get:- All of the multiple-choice questions from the best-selling CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide. See a demo here. All questions have full explanations so you’ll know why the correct answers are correct and why the incorrect answers are incorrect.
- Over 40 new multiple-choice questions we’ve added after publishing the study guide.
- Over 30 performance-based questions. See a demo here.
- All of the flashcards from the study guide. View them in any Web browser.
- All of the audio from the study guide. Listen to a sample here.
- Access to a free discount code for 10% off your Security+ voucher.
Buy The Full Access Study Package Today
60 Days Access
All materials are available online shortly after making your payment.
Smurf Attacks Use Amplifying Networks
A smurf amplifier is a computer network used in a smurf attack. This is easily prevented by blocking IP directed broadcasts used by smurf attacks. However, if a router or a firewall isn’t configured to protect the network, it can become part of the attack.
Figure 4 shows how this works. The attacker (computer 1) sends a broadcast ping into the amplifying network with a spoofed source IP address of computer 6. Each computer in the amplifying network receives the broadcast and then responds by flooding the victim (computer 6) with ping replies.
Not Blue Packets
The rumor that a smurf attack is one where attackers send out little blue packets that report back to Papa Smurf is simply not true.
Check out these resources
CompTIA Security+: Get Certified Get Ahead- SY0-401 Practice Test Questions [Paperback] or
CompTIA Security+ SY0-401 Practice Test Questions (Get Certified Get Ahead) [Kindle] or
On your mobile phone
Summary
Ensure you understand the basics of a smurf attack when taking any security-based exam such as the Security+, SSCP, or CISSP exams. A smurf attack spoofs the source address of a broadcast ping packet to flood a victim with ping replies. Smurf attacks are known to use amplifying networks but administrators commonly block this rules on a router or firewall.
I recently took the security+ SYO 301 exam., and there’s a question like this that demonstrate where a computer pings the switch that connects multiple workstations, then the switch now sends out a broadcast to all the workstations including the one that initiates the attack in the first place, and in turn all the workstations or computers, now reply back to just one workstation in the network, thereby crashing it.
My question is, is that no the same as ping-of-death?
By the way, I failed the exam, and am preparing for it by october 1st. I bought one of your online study tool that includes the performance based questions, and its very informative and up to date. Hopefully, I will pass it this time around.
Thank you.
Hi Charles,
What you’re describing is a smurf attack (as described on this page).
Hope you passed it the second time around.
Darril