A smurf attack broadcasts ICMP ping packets to multiple computers on a network but spoofs the source address using the IP address of the attacked system. An ICMP packet normally includes the IP address of the sender in the source IP address field. However, by replacing the IP address with the victim’s IP address, the ICMP packet appears to come from the victim’s computer. By broadcasting the ping, all systems on the subnet receive the echo and respond by flooding the attacked system with echo replies.
Attackers often use an amplifying network in a smurf attack by sending a directed broadcast ping to the amplifying network. A directed broadcast ping goes through a router to the target network and then broadcasts the ping to all the computers on the target network. Each computer on this network then sends pings to the victim’s computer. However, most routers block directed broadcasts, protecting a network from being used as an amplifying network.
A fraggle attack is similar to the smurf attack, but instead of using ICMP packets, it uses User Datagram Protocol (UDP) packets for the attack. It sends packets to UDP port 7 or UDP port 19. Port 7 is the echo port, which works similarly to a ping. Port 19 is the Character Generator Protocol (chargen) port. When chargen is enabled on a system, it will respond with a random character each time it receives any traffic on the port. However, chargen is rarely enabled on current systems.
Published on Thu 02 January 2014 by Ralph Holdsworth in Security with tag(s): attacks smurf fraggle