A common way of bringing down a host in the 90s was smurﬁng. This exploited the Internet control message protocol (ICMP), which enables users to send an echo packet to a remote host to check whether it’s alive. The problem was with broadcast addresses that are shared by a number of hosts. Some implementations of the Internet protocols responded to pings to both the broadcast address as well as the local address — so you could test a LAN to see what was alive. A collection of such hosts at a broadcast address is called a smurf ampliﬁer. Bad guys would construct a packet with the source address forged to be that of the victim, and send it to a number of smurf ampliﬁers. These would then send a ﬂurry of packets to the target, which could swamp it. Smurﬁng was typically used by kids to take over an Internet relay chat (IRC) server, so they could assume control of the chatroom. For a while this was a big deal, and the protocol standards were changed in August 1999 so that ping packets sent to a broadcast address are no longer answered . Another part of the ﬁx was socio-economic: vigilante sites produced lists of smurf ampliﬁers. Diligent administrators spotted their networks on there and ﬁxed them; the lazy ones then found that the bad guys used more and more of their bandwidth, and thus got pressured into ﬁxing the problem too. By now (2007), smurﬁng is more or less ﬁxed; it’s no longer an attack that many people use.
But there’s a useful moral: don’t create ampliﬁers. When you design a network protocol, be extremely careful to ensure that no-one who puts one packet in can get two packets out. It’s also important to avoid feedback and loops. A classic example was source routing. A feature of early IP that enabled the sender of a packet to specify not just its destination but the route that it should take. This made attacks too easy: you’d just send a packet from A to B to C to B to C and so on, before going to its ﬁnal destination. Most ISPs now throw away all packets with source routing set. (There was an alarm in early 2007 when it turned out that source routing had found its way back into the speciﬁcation for IPv6, but that’s now been ﬁxed .)
Published on Sat 03 February 2007 by Randy Nugent in Security with tag(s): smurfing