What is Smurf attack and the protection?

What is Smurf attack?

A Smurf attack is a distributed denial of service assault that happens on the network layer and targets the victim's server by flooding it with Internet Control Message Protocol (ICMP) echo requests.

These ICMP queries flood the server, preventing it from processing all inbound traffic. Hackers use malware dubbed "DDOS.Smurf" to carry out a Smurf attack.

A distributed denial-of-service (DDoS) assault is a type of cyberattack in which several computers overwhelm a target website or network with traffic, rendering it inaccessible to customers. In a DDoS assault, the attacker often gets control of a large number of computers and employs them to produce a significant number of visits aimed towards the target.

What is Smurf attack and the protection?
Fig 1.1- What is Smurf attack?

The primary purpose of a DDoS assault is to overload the target with so much traffic that it is unable to handle genuine requests, making access to the website or network difficult or impossible.

"The Smurf Attack disables a victim system's network resources by consuming bandwidth." It achieves consumption by amplification of the attacker's bandwidth. If the amplifying network contains 100 computers, the signal may be amplified 100 times, allowing an attacker with relatively low bandwidth (such as a 56K modem) to overwhelm and disable a victim system with significantly higher bandwidth (such as a T1 connection).

Smurf Attacks are classified into two types:

Type 1: Basic Attack

The apparently unending ICMP request packets in the Basic Smurf Attack include a source address set to the target's network's broadcast address. If these packets are appropriately dispersed, there will be an echo from every single device on the network, resulting in the excessive load that typically brings systems down.

Type 2: Advance Attack

In the case of Advanced Smurf Attacks, the echo responses to ICMP queries can be configured to react to third-party victims. In this manner, hackers may simultaneously attack many, larger targets.

Stages of Smurf Attacks

  • The Smurf virus first generates a bogus Echo request with a faked source IP. The faked IP address is the target server address.
  • Second, the request is routed through an intermediary IP broadcast network.
  • Afterwards, the request is transmitted to every network host on the network.
  • At the end of a Smurf Attack, each host sends an ICMP response to the faked source address.
  • If a large number of ICMP responses are forwarded, the target server is brought down in the final stage.


A Smurf Attack involves three parties: the hacker, the middleman / amplifier, and the victim. To launch the attack, the intermediate must let a source-spoofed IP packet to exit its network. As a result, prevention must be done on two levels: avoiding being attacked and avoiding being exploited to begin an assault.
  • You should stop IP-directed broadcast on the router, which will prevent broadcast traffic from other networks from reaching the internal network. You may also try adding an outbound filter to your perimeter router and setting hosts and routers to ignore ICMP echo queries.
  • You create redundancy. Your servers should be distributed across various data centres, with a suitable load balancing solution in place for traffic distribution. The data centres should be located in various parts of the same nation, if feasible, or even in other countries, and should be linked to different networks.
  • You must safeguard your DNS servers. Aside from adding redundancy, you could also consider switching to a cloud-based DNS provider, whose services are specifically designed for DDoS prevention.
  • You increase your bandwidth purchase. You should have adequate bandwidth to manage traffic surges caused by malicious activities.
  • You ensure that your servers are protected by network firewalls or specialized web application firewalls.