Documente Academic
Documente Profesional
Documente Cultură
Assignment 1
Title
Name
Metric no
: 114998
: aanis.ucom12@student.usm.my
Contents
Abstract ......................................................................................................................................................... 2
Introduction .................................................................................................................................................. 3
Analysis ......................................................................................................................................................... 4
Attack using Internet Control Message Protocol ...................................................................................... 4
IP broadcast address ................................................................................................................................. 5
Discussion...................................................................................................................................................... 6
Conclusion ..................................................................................................................................................... 8
Reference ...................................................................................................................................................... 9
Abstract
Distributed Denial of Service (DDoS) can cause devastating impact on computer system and
network. One of DDoS flooding attack is Smurf attack. Smurf attack involves Internet Cotrol
MessageProtocol (ICMP). When conducting a Smurf attack, attacker will use IP address
spoofing to spoof victims IP address. This can cause a confusion on targeted network and a
massive flood of traffic will be infected into victims betwork and cause it to be unoperational.
Smurf attack using ping on the operating system to check whether the network is operational or
not.
When the ping tool is done, an ICMP echo request packet is transmitted to the destination
computer. If the destination computer has the TCP packet, it replies to confirm the ping request.
In the event of a Smurf denial-of-service attack, the ping's packet return IP address is forged with
the IP of the targeted computer. The ping is issued to the entire IP broadcast address. This
technique causes every computer to respond to the bogus ping packets and reply to the targeted
computer, which floods it. This technique is called a Smurf attack because the DoS tool that is
used to perform the attack is called Smurf. Oneway to reduce risk of this approach is to disable
IP-directed broadcast, which is frequently not used or required. Some operating systems are
configured to prevent the computer from responding to ICMP packets.
Introduction
A Denial of service (DoS) is an attack made on an online service to becoming
unavailable by congesting the system traffic. It is designed to render a computer and cause the
user of a targeted system incapable to use the services provided. Bandwidth and connectivity of
computer network are the most common to be attacked by DoS. The network is flooded with a
high volume of traffic in attacking bandwidth while connectivity attacks flood a computer with a
high volume of the connection request.
Distributed Denial of Service (DDoS), a type of DoS attack, usually infected with Trojan
is used to attack another computer using many computers. It will launch a coordinated DoS
attack against one or more target system (distribute the attack). Both the end targeted system are
the victims of a DDoS attack. All system maliciously used and controlled by the hacker in
distributed attack.
In DoS attack, one computer with internet connection is used to flood the server with
packets, which will overload the targeted servers bandwidth. Meanwhile in DDoS attack, many
devices and multiple internet connection are used and distributed globally (known as botnet).
Compared to DoS attack, DDoS attack is much harder to deflect because the is no single attacker
to defend from as the targeted resources will be flooded with request from multiple sources.
A Smurf attack is a form of DDoS. This program exploiting the vulnerabilities of the
Internet Protocol (IP) and Internet Control Message Protocols (ICMP). The attacker uses the
unprotected network to amplify attack load and direct it to the victim computer. The Smurf
program uses spoofing technique to originate a network packet from another address. This kind
of attack not only cause problems to targeted system, but will give a serious negative effect on
network.
3
Analysis
On Smurf attack, there are two main components to attack the network, which are the Internet
Control Message Protocol (ICMP) is forged echo request packet and the direction of packet to
Internet Protocol (IP) broadcast address.
A broadcast ping is sent with a spoofed source address. There are 3 types of ping :1- Normal ping
A regular ping sends one or more ICMP echo request to a system. The system responds
with one or more ICMP echo replies. this is to confirm whether the system is functioning.
The ICMP packet is addressed to one system from one system.
2- Broadcast ping
A broadcast ping sends the ICMP echo request to a broadcast address. The broadcast
address will send it to virtually all systems on the network. When the system on the
network respond to the request, it will be flooding the system with ICMP echo reply.
3- Spoofed source broadcast ping
The source address with victims address is spoofed during the attack. It is then sent out
as broadcast ping. Victim will be flooded with echo replies if the system respond to the
request.
IP broadcast address
A packet is directed to an individual machine or broadcast to an entire network on IP
network. When an IP broadcast address received a packet from a machine on local network,
the packet is distributed to all machines on the network. When a packet is sent to IP
broadcast address from machine outside of local network, it is broadcast to all machine on
the targeted network according to the route of traffic ( router do not pass broadcast packet).
Discussion
Being an intermediary in Smurf attack can be avoided by making sure forwarding of directed
broadcast is disabled on Foundry device. User can configure the Foundry device to drop ICMP
packet when excessive number are encountered.the easiest way to failed a Smurf attack is by
setting a threshold value for ICMP packet and drop them when the threshold exceeded. This will
prevent the packet from hitting the web server and internal network. Monitor the packets which
do not originate from network. Do not simply accept the request. It is important to filter out
packets which do not origin from internal network. For Cisco router, user CAR to specify the
maximum amout of bandwidth that can be used by echo reply packets.
Conclusion
It is not impossible to accidentally download the Smurf Trojan from an unverified website or via
an infected email link (spam). The program will remain dormant on a computer until activated
by a remote user (attacker). Many Smurf come along with rootkits,allowing the attacker to create
backdoors. The easiest way to comply with Smurf attack is to turn off IP broadcast addressing on
every network router. If the IP broadcast is turned off, it is impossible for the attacker to
overload the network.
Both intermediary and victim of this attack may suffer degraded network performance both on
their internal network or on their internet connection.
Reference
http://www.techrepublic.com/article/understanding-a-smurf-attack-is-the-first-step-toward-thwartingone/
http://blogs.getcertifiedgetahead.com/dos-smurf-fraggle-attacks/
http://www.cert.org/historical/advisories/CA-1998-01.cfm?
https://www.us-cert.gov/ncas/tips/ST04-015
https://www.nordu.net/articles/smurf.html
https://usa.kaspersky.com/internet-security-center/definitions/smurf-attack
http://www.w3.org/Security/faq/wwwsf6.html
http://www.symantec.com/security_response/glossary/define.jsp?letter=s&word=smurf-dos-attack