Information, Computer and Network Security Terms Glossary and Dictionary

Smurf Attack and Fraggle Attack

The "smurf" attack, named after its exploit program, causes Denial of Service in a network. The two main components to the smurf denial-of-service attack are the use of forged ICMP echo request packets and the direction of packets to IP broadcast addresses. When smurfing, an attacker sends a large amount of ICMP echo (ping) traffic at IP broadcast addresses, all of it having a spoofed source address of a victim. If the routing device delivering traffic to those broadcast addresses performs the IP broadcast to layer 2 broadcast function, most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply each, multiplying the traffic by the number of hosts responding. On a multi-access broadcast network, there could potentially be hundreds of machines to reply to each packet.

A similar attack to the "smurf" attack is called "fraggle" attack, which uses UDP echo packets in the same fashion as the ICMP echo packets; it was a simple re-write of "smurf". Fraggle uses User Datagram Protocol (UDP) echo packets directed at the Unix UDP services echo (port 7), chargen (port 19), daytime (port13) and qotd (port 17).

For both the SMURF attack and the Fraggle attack, there are three parties in these attacks: the attacker, the intermediary, and the victim (note that the intermediary can also be a victim). In other words, you can be affected in one of several ways:

  • As a victim or target of the attack
  • As a network which is abused to amplify the attack
  • As a party harboring the instigator of the attack

Both the intermediary and victim of this attack may suffer degraded network performance both on their internal network or on their connection to the Internet. Performance may be degraded to the point that the network cannot be used.

Attackers have developed automated tools that enable them to send these attacks to multiple intermediaries at the same time, causing all of the intermediaries to direct their responses to the same victim. Attackers have also developed tools to look for network routers that do not filter broadcast traffic and networks where multiple hosts respond. These networks can the subsequently be used as intermediaries in attacks.

How to prevent Smurf and Fraggle Attacks

There are many mitigations to reduce the risk of Smurf attack an Fraggle attack in a network, which is outlined as follows:

  • Turn off the forwarding of directed broadcast on all router ports or take other measures to assure your network cannot be abused in this manner.
  • Configure your operating system to prevent the machine from responding to ICMP packets sent to IP broadcast addresses.
  • Simply block all inbound and outbound ICMP echo and ICMP echo-reply packets – this will disable many network monitoring devices
  • If you leave ICMP unfiltered but must use committed access rate (CAR) traffic filtering
  • Filtering outgoing packets that contain a source address from a different network because smurf attack rely on the use of forged packets
  • In the case of Fraggle, disabling echo (port 7), chargen (port 19), daytime (port13) and qotd (port 17) services is ok because non of the services are used often in network anyway
  • Many firewall products have build-in Smurf and fraggle attack filters – it is vital to deploy these firewalls in critical positions of your network to prevent smurf and fraggle and many other denial of service attacks in your network.

Related Terms

Denial of service, firewall, IP Spoofing