Networking | Programming | Security | Linux | Computer Science | About

What was Smurfing all about?

A common way of bringing down a host in the 90s was smurfing. This exploited the Internet control message protocol (ICMP), which enables users to send an echo packet to a remote host to check whether it’s alive. The problem was with broadcast addresses that are shared by a number of hosts. Some implementations of the Internet protocols responded to pings to both the broadcast address as well as the local address — so you could test a LAN to see what was alive. A collection of such hosts at a broadcast address is called a smurf amplifier. Bad guys would construct a packet with the source address forged to be that of the victim, and send it to a number of smurf amplifiers. These would then send a flurry of packets to the target, which could swamp it. Smurfing was typically used by kids to take over an Internet relay chat (IRC) server, so they could assume control of the chatroom. For a while this was a big deal, and the protocol standards were changed in August 1999 so that ping packets sent to a broadcast address are no longer answered [1144]. Another part of the fix was socio-economic: vigilante sites produced lists of smurf amplifiers. Diligent administrators spotted their networks on there and fixed them; the lazy ones then found that the bad guys used more and more of their bandwidth, and thus got pressured into fixing the problem too. By now (2007), smurfing is more or less fixed; it’s no longer an attack that many people use.

But there’s a useful moral: don’t create amplifiers. When you design a network protocol, be extremely careful to ensure that no-one who puts one packet in can get two packets out. It’s also important to avoid feedback and loops. A classic example was source routing. A feature of early IP that enabled the sender of a packet to specify not just its destination but the route that it should take. This made attacks too easy: you’d just send a packet from A to B to C to B to C and so on, before going to its final destination. Most ISPs now throw away all packets with source routing set. (There was an alarm in early 2007 when it turned out that source routing had found its way back into the specification for IPv6, but that’s now been fixed .)

Published on Sat 03 February 2007 by Randy Nugent in Security with tag(s): smurfing