Smurf denial of service

smurf (588) The risk level is classified as MediumMedium Risk

Description:

In a Smurf denial of service attack, ICMP echo request (ping) packets addressed to an IP broadcast address cause a large number of responses. When each host on the subnet replies to the same ping request, the large number of responses can consume all available network bandwidth, especially if data is appended to the ping request. This can prevent legitimate traffic from being transmitted during the attack. This attack is frequently used against third parties, where an attacker forges the target's source address in a Smurf attack against a different target. At the extreme, this attack can simultaneously disable both targets.

Windows systems do not respond to broadcast pings. However, this does not mean that all Microsoft networks are invulnerable to Smurf attacks.


Consequences:

Denial of Service

Remedy:

Reconfigure your perimeter router or firewall to block ICMP echo requests on your internal network and block ICMP echo replies from entering your network. This will prevent someone from using your network to mount a SMURF attack against another target. It will also prevent an external attacker from targeting your hosts. However, neither of these actions will stop internal SMURF attacks.

References:

Platforms Affected:

  • Various vendors Any application

Reported:

Oct 01, 1997

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page