Information, Computer and Network Security Terms Glossary and
Smurf Attack and Fraggle Attack
The "smurf" attack, named after its exploit program, causes Denial of Service in a network.
The two main components to the smurf denial-of-service attack are the use of forged ICMP echo request
packets and the direction of packets to IP broadcast addresses. When smurfing, an attacker sends a large amount
of ICMP echo (ping) traffic at IP broadcast addresses, all of it having a spoofed source address of a victim.
If the routing device delivering traffic to those broadcast addresses performs the IP broadcast
to layer 2 broadcast function, most hosts on that IP network will take the ICMP echo request and reply to it with an
echo reply each, multiplying the traffic by the number of hosts responding. On a multi-access broadcast network,
there could potentially be hundreds of machines to reply to each packet.
A similar attack to the "smurf" attack is called "fraggle" attack, which uses UDP echo
packets in the same fashion as the ICMP echo packets; it was a simple
re-write of "smurf". Fraggle uses User Datagram Protocol (UDP) echo packets directed
at the Unix UDP services echo (port 7), chargen (port 19), daytime (port13) and qotd (port 17).
For both the SMURF attack and the Fraggle attack, there
are three parties in these attacks: the attacker, the
intermediary, and the victim (note that the intermediary can
also be a victim). In other words, you can be affected in one of
- As a victim or target of the attack
- As a network which is abused to amplify
- As a party harboring the instigator of
Both the intermediary and victim of this attack may suffer degraded
network performance both on their internal network or on their
connection to the Internet. Performance may be degraded to the
point that the network cannot be used.
have developed automated tools that enable them to send these
attacks to multiple intermediaries at the same time, causing
all of the intermediaries to direct their responses to the
same victim. Attackers have also developed tools to look for
network routers that do not filter broadcast traffic and
networks where multiple hosts respond. These networks can the
subsequently be used as intermediaries in attacks.
How to prevent Smurf and Fraggle Attacks
are many mitigations to reduce the risk of Smurf attack an
Fraggle attack in a network, which is outlined as follows:
- Turn off the forwarding of directed broadcast on all
router ports or take other measures to assure your network
cannot be abused in this manner.
- Configure your
operating system to prevent the machine from responding to
ICMP packets sent to IP broadcast addresses.
- Simply block all inbound and outbound ICMP echo
and ICMP echo-reply packets – this will disable many
network monitoring devices
- If you leave ICMP unfiltered but must use
committed access rate (CAR) traffic filtering
- Filtering outgoing packets that contain a source
address from a different network because smurf attack rely on
the use of forged packets
- In the case of Fraggle, disabling echo
(port 7), chargen (port 19), daytime (port13)
and qotd (port 17) services is ok because non of the
services are used often in network anyway
- Many firewall products have build-in
Smurf and fraggle attack filters – it is vital to deploy
these firewalls in critical positions of your network to
prevent smurf and fraggle and many other denial of service
attacks in your network.
Denial of service, firewall, IP Spoofing