If you’re plan to take the Security+, SSCP, or CISSP exam, you should know about many of the attack types such as the smurf attack. As an example, Objective “3.2 Analyze and differentiate among types of attacks” for the CompTIA Security+ exam lists several common types of attacks including the smurf attack.
A smurf attack spoofs the source address of a broadcast ping packet to flood a victim with ping replies. That’s a complex sentence, so it’s worthwhile breaking this down.
A Ping is Normally Unicast
A ping is normally a unicast message sent from one computer to one computer. It sends ICMP echo requests to one computer, and the receiving computer responds with ICMP echo responses. Figure 1 shows how this works. Computer 1 is sending out a unicast ping to computer 3 and computer 3 responds with ICMP replies.
If you receive the responses you know that the other computer is operational.
Note: Because ICMP is used in many types of attacks, many firewalls block ICMP echo requests. If you don’t receive ping responses back it doesn’t necessarily mean the other computer is not operational. It could be because the ping is being blocked by a firewall.
On Windows systems, ping sends out four ICMP requests and gets back four replies. On some other operating systems, ping continues until stopped. You can add the -t switch to ping on Windows systems causing ping requests to continue until stopped.
CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide
A Smurf Attack Sends the Ping Out as a Broadcast
Instead of using a unicast message, a smurf attack sends out the ping request as a broadcast. In a broadcast, one computer sends the packet to all other computers in the subnet. These computers then reply to the single computer that sent the broadcast ping as shown in Figure 2. Computer 1 is sending out a broadcast ping to all the computers on the subnet and each one of them are now responding, flooding the computer with ping replies.
If computer 1 is the attacker, the results of Figure 2 aren’t very beneficial. If something isn’t changed, the attacker gets attacked.
The Smurf Attack Spoofs the Source IP
If the source IP address isn’t changed, the computer sending out the broadcast ping will get flooded with the ICMP replies. Instead, the smurf attack substitutes the source IP with the IP address of the victim, and the victim gets flooded with these ICMP replies. Figure 3 shows how computer 1 can send out the smurf attack using computer 2’s IP address as the source IP address. All the computers on the subnet then flood computer 2 with ICMP replies.
Smurf Attacks Use Amplifying Networks
A smurf amplifier is a computer network used in a smurf attack. This is easily prevented by blocking IP directed broadcasts used by smurf attacks. However, if a router or a firewall isn’t configured to protect the network, it can become part of the attack.
Figure 4 shows how this works. The attacker (computer 1) sends a broadcast ping into the amplifying network with a spoofed source IP address of computer 6. Each computer in the amplifying network receives the broadcast and then responds by flooding the victim (computer 6) with ping replies.
Not Blue Packets
The rumor that a smurf attack is one where attackers send out little blue packets that report back to Papa Smurf is simply not true.
Check out these resources
CompTIA Security+: Get Certified Get Ahead- SY0-401 Practice Test Questions [Paperback] or
CompTIA Security+ SY0-401 Practice Test Questions (Get Certified Get Ahead) [Kindle] or
On your mobile phone
Ensure you understand the basics of a smurf attack when taking any security-based exam such as the Security+, SSCP, or CISSP exams. A smurf attack spoofs the source address of a broadcast ping packet to flood a victim with ping replies. Smurf attacks are known to use amplifying networks but administrators commonly block this rules on a router or firewall.
Master Security+ Performance Based Questions Video
Other Security+ Study Resources
- Security+ blogs organized by categories
- Security+ blogs with free practice test questions
- Security+ blogs on new performance-based questions
- Mobile Apps: Apps for mobile devices running iOS or Android
- Audio Files: Learn by listening with over 6 hours of audio on Security+ topics
- Flashcards: 494 Security+ glossary flashcards, 222 Security+ acronyms flashcards and 223 Remember This slides
- Quality Practice Test Questions: Over 300 quality Security+ practice test questions with full explanations
- Full Security+ Study Packages: Quality practice test questions, audio, and Flashcards
2 thoughts on “Smurf Attacks”
I recently took the security+ SYO 301 exam., and there’s a question like this that demonstrate where a computer pings the switch that connects multiple workstations, then the switch now sends out a broadcast to all the workstations including the one that initiates the attack in the first place, and in turn all the workstations or computers, now reply back to just one workstation in the network, thereby crashing it.
My question is, is that no the same as ping-of-death?
By the way, I failed the exam, and am preparing for it by october 1st. I bought one of your online study tool that includes the performance based questions, and its very informative and up to date. Hopefully, I will pass it this time around.
What you’re describing is a smurf attack (as described on this page).
Hope you passed it the second time around.