Denial of Service Attacks (Part 5): The Smurf Attack

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

you the Smurf attack is an old mechanism actually dates back to early 1998 and it's a mechanism for carrying out denial of service attacks on a target system and the security border mode that was exploited in the Smurf attack has actually quite fortunately been fixed but having said that I think it would still be useful nonetheless to look it's worth because it may be of historical interest and maybe you can think of it as an early example of mounting acknowledged service attack and it specifically uses this idea of amplification to mount such denial of service attacks now the way that Smurf works is it takes advantage of a particular protocol known as the internet or the internet control messaging protocol or ICMP okay and ICMP BCP is a protocol for being able to determine the status of a given machine so for example one can initiate the ICMP protocol via a command that's that's actually known as ping and a lot of modern operating systems allow for this command called ping so for example let's say you typed in peeing ww example example comm what would then happen is your system would send a message via the ICMP protocol specifically would send what's known as an ICMP echo request message so it would send this ICMP message this ping message to a particular server okay and this would be the server that was located at the domain of example.com will be the web server located in example.com okay and then this web server would in turn send back a response and this response is known as an ICMP echo echo response so also sometimes called nic knowledge minh so you have the the initial person sending an echo an echo request and then receiving back and echo response okay and the response is symbology that basically lets the requester know that everything is running fine and the ping request basically is a good way to ascertain if a particular server is up and running effectively okay now imagine that an attacker somehow decided to send a large stream of such ping requests for multiple systems and you flooded a given target system with these ping requests well in that case what would start to happen is that the attacker became potentially starting to saturate the server's resources in other words a server will be so busy handling requests from the attacker then it won't be able to handle responses from legitimate traffic and this particular idea of flooding somebody with a bunch of ping requests this is actually known as a ping flood it's a very primitive form of denial of service attack and I say primitive because the attacker needs a lot of horsepower a lot of systems to be able to target this one system ok this point target now it turns out there is a more clever way to mount an attack using ping and the idea is to leverage the fact that some servers on the internet have what's known as an IP broadcast address UND's actually this is not so common anymore but there was a time when a lot of servers on the Internet I had an IP address that was used for broadcast IP broadcast address ok and with this IP broadcast address what would happen is basically any ICMP requests or ping requests sent to that broadcast address actually would get forwarded so if you do a ping a to a broadcast address what's going to happen is that initial server to which you may be the request will actually forward the request down to any other hosts that are on the same network for example let's say there are a whole bunch of other hosts on the network and they're all going to receive a copy of this one particular request that was actually sent to the the broadcast address okay and what these guys in turn will do is it's a ping request they're going to go ahead and respond to that kick request okay so they're going to send back an acknowledgement an ICMP echo response in response to the ICMP echo request hopefully that makes some sense now this is just an initial observation to be able to take this observation and translate it into an actual denial of service attack but the attacker is going to do is he's going to forge or spoof okay he's going to forge or spoof his IP address okay instead of putting let's say he's located at the IP address a 1.3 dot 5.7 okay if you want to target a particular system went to that system is located at the address 2 dot 4 dot 6.8 he is going to in his ICMP echo request packet in the ICMP echo request packet he's going to put in this fake IP address of 2.4 dot 6.8 instead of putting in his legitimate request of 1.2 beat up 5.7 metric that should be it be a bit more careful the actual forgery is not going to happen inside of the ICMP packet but inside of a broader let's say IP packet over which this ICMP request is being transmitted okay and this actually works because it turns out that ICMP the protocol sub number checks for the authenticity of the source address it assumes the source address is put in authentically and that will be the case most of the time if you have a legitimate party making that request but if it's a malicious party they may be able to forge and put in a different address into that packet okay so now what's going to happen when the ICMP echo request or the ping request is sent to this one particular server okay because the server has a broadcast it's going to now broadcast that request to all the hosts of the network and these hosts and network from their purview from their vantage point it looks like the request is actually coming from the address that was placed by the by the attacker 2.4 six under 8 okay and what they are actually going to do is now all these different systems are now going to acknowledge this request but they're going to acknowledge it thinking it's going coming 2.4 that's exciting so they're going to send back an ICMP echo response to the target server okay and so that's a lot of responses that are being sent concurrently to the target server and you can literally actually have in a single Network you may have hundreds on systems that are associated with a particular with a particular network and you may be able to access those systems with a single ping request sent to be the broadcast IP address on one of those systems that ping request will be forwarded to all the systems inside that network and those systems in turn will then respond to that request by issuing an echo response but they're going to actually end up responding back to the wrong party they can respond back to that 4.6 that a okay so basically what the attacker did is he made is he really took a very simple strategy made a minimal amount of work and you made a single ping request it basically translated into potentially hundreds of acknowledgments hundreds of echo responses okay all of which essentially just pummeled a single target system with traffic okay and by repeating this procedure the target system will basically be taken offline it's going to be saturated it won't be able to actually respond to legitimate requests and this attack principle which uses the concept of an ICMP broadcast as I mentioned is known as a smurf attack and it's actually called the Smurf attack because that name actually comes from the name of the original piece of exploit code that we'll use to take advantage of this vulnerability and I believe that that code is actually just was named a smurf dot C okay now I want to mention very briefly there is also another attack that's known as Fraggle ok Fraggle basically operates almost identically to the way that the smurf attack operated it's analogous to Smurf except that it takes advantage of a similar issue not in ICMP packets but in packets associated with the user Datagram protocol or UDP okay but it basically it does essentially uses the broadcast address together with UDP packets to basically create a type of amplification and thereby mount a much more pronounced attack fortunately for us most systems on the Internet today are no longer susceptible to either of fraggle orders were for that matter but I thought these particular attacks would be a historical and Krysten they may be useful for being able to learn lessons about how to architect secure systems down the line

Info

Channel: Sourcefire

Views: 49,017

Rating: 4.8635173 out of 5

Keywords: denial of service, ddos, dos attack, ddos attack, smurf attack

Id: xQL3n_REkiw

Channel Id: undefined

Length: 9min 43sec (583 seconds)

Published: Wed Apr 10 2013