A type of internet distributed denial of service
) attack where an attacker
attempts to overwhelm the victim
by tricking third parties into sending large amounts of traffic
. These third-parties are called smurf amplifiers because a single packet
set to an amplifier results in many packets being sent to the victim.
A smurf attack works by using a directed broadcast ping with the victim's IP spoofed as the return address for the ping. (A directed broadcast is a packet send to the broadcast address of a particular subnet. Routers unicast the broadcast via the internet. The router directly connected to the destination subnet converts the packet from a directed broadcast into a pure broadcast packet - IP address 255.255.255.255.) When the broadcast hits the amplifier subnet, all computers connected to that particular subnet transmit a ping reply to the victims IP address. The principle idea is that the attacker uses only a small amount bandwidth in comparison to the amount of bandwidth depleted from the victim. In military terms a smurf amplifier is a force multiplier. The attack can be made more potent by increasing the size of the ping packet and by using multiple amplifiers.
Simple defenses against IP address spoofing will prevent a malicious user on a network from originating a smurf attack, whilst disabling directed broadcasts on all routers will prevent a subnet from being used as a smurf amplifier. A good firewall helps. Protection for victims is not so easy because simply thwarting the smurf attack at the victim's firewall still means that the victim's incoming internet connection is swamped. Thus protection needs to be upstream from the victim.