CERT® Advisory CA-98.01 "smurf" IP Denial-of-Service AttacksOriginal issue date: January 5, 1998
Last revised: March 13, 2000
Added pointer to RFC2644/BCP34.
A complete revision history is at the end of this file.
This advisory is intended primarily for network administrators responsible for router configuration and maintenance.
The attack described in this advisory is different from the denial-of-service attacks described in CERT advisory CA-97.28.
The CERT Coordination Center has received reports from network service providers (NSPs), Internet service providers (ISPs), and other sites of continuing denial-of-service attacks involving forged ICMP echo request packets (commonly known as "ping" packets) sent to IP broadcast addresses. These attacks can result in large amounts of ICMP echo reply packets being sent from an intermediary site to a victim, which can cause network congestion or outages. These attacks have been referred to as "smurf" attacks because the name of one of the exploit programs attackers use to execute this attack is called "smurf."
The CERT/CC urges you to take the steps described in Section III to reduce the potential that your site can be used as the origination site (Sec. III.C) or an intermediary (Sec. III.A.) in this attack. Although there is no easy solution for victim sites, we provide some recommendations in Sec. III.B.
We will update this advisory as we receive additional information. Please check our advisory files regularly for updates that relate to your site.
The two main components to the smurf denial-of-service attack are the use of forged ICMP echo request packets and the direction of packets to IP broadcast addresses.
The Internet Control Message Protocol (ICMP) is used to handle errors and exchange control messages. ICMP can be used to determine if a machine on the Internet is responding. To do this, an ICMP echo request packet is sent to a machine. If a machine receives that packet, that machine will return an ICMP echo reply packet. A common implementation of this process is the "ping" command, which is included with many operating systems and network software packages. ICMP is used to convey status and error information including notification of network congestion and of other network transport problems. ICMP can also be a valuable tool in diagnosing host or network problems.
On IP networks, a packet can be directed to an individual machine or broadcast to an entire network. When a packet is sent to an IP broadcast address from a machine on the local network, that packet is delivered to all machines on that network. When a packet is sent to that IP broadcast address from a machine outside of the local network, it is broadcast to all machines on the target network (as long as routers are configured to pass along that traffic).
IP broadcast addresses are usually network addresses with the host portion of the address having all one bits. For example, the IP broadcast address for the network 10.0.0.0 is 10.255.255.255. If you have subnetted your class A network into 256 subnets, the IP broadcast address for the 10.50 subnet would be 10.50.255.255. Network addresses with all zeros in the host portion, such as 10.50.0.0, can also produce a broadcast response.
In the "smurf" attack, attackers are using ICMP echo request packets directed to IP broadcast addresses from remote locations to generate denial-of-service attacks. There are three parties in these attacks: the attacker, the intermediary, and the victim (note that the intermediary can also be a victim).
The intermediary receives an ICMP echo request packet directed to the IP broadcast address of their network. If the intermediary does not filter ICMP traffic directed to IP broadcast addresses, many of the machines on the network will receive this ICMP echo request packet and send an ICMP echo reply packet back. When (potentially) all the machines on a network respond to this ICMP echo request, the result can be severe network congestion or outages.
When the attackers create these packets, they do not use the IP address of their own machine as the source address. Instead, they create forged packets that contain the spoofed source address of the attacker's intended victim. The result is that when all the machines at the intermediary's site respond to the ICMP echo requests, they send replies to the victim's machine. The victim is subjected to network congestion that could potentially make the network unusable. Even though we have not labeled the intermediary as a "victim," the intermediary can be victimized by suffering the same types of problem that the "victim" does in these attacks.
Attackers have developed automated tools that enable them to send these attacks to multiple intermediaries at the same time, causing all of the intermediaries to direct their responses to the same victim. Attackers have also developed tools to look for network routers that do not filter broadcast traffic and networks where multiple hosts respond. These networks can the subsequently be used as intermediaries in attacks.
For a more detailed description of the "smurf" attack, please consult this document:
Description and Information to Minimize Effects"
Author: Craig Huegen <firstname.lastname@example.org>
URLs: http://www.quadrunner.com/~chuegen/smurf.txt and Smurfing: The Latest DoS Attack
Both the intermediary and victim of this attack may suffer degraded network performance both on their internal networks or on their connection to the Internet. Performance may be degraded to the point that the network cannot be used.
A significant enough stream of traffic can cause serious performance degradation for small and mid-level ISPs that supply service to the intermediaries or victims. Larger ISPs may see backbone degradation and peering saturation.
Appendix A - Vendor Information
Below is a list of the vendors who have provided information for this advisory. We will update this appendix as we receive additional information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact the vendor directly.
Cray Research - A Silicon Graphics Company
Current versions of Unicos and Unicos/mk do not have the ability to reject ICMP requests send to broadcast addresses. We are tracking this problem through SPR 709733.
Cisco recommends the following configuration settings as protection against being used as an intermediary in smurf attacks:
access-list 101 permit ip 172.16.0.0 0.0.255.255 0.0.0.0 255.255.255.255 access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
Data General Corporation
DG/UX has an option to enable/disable the forwarding of IP broadcast packets. It is disabled by default. This means that if DG/UX is used along the path, it will not forward the attack packets.
DG/UX B2 with Security Option has a 'netctrl' facility which enables the administrator to disable the response to a broadcast ICMP ping message.
DIGITAL EQUIPMENT CORPORATION
Currently DIGITAL products do not deny individual ICMP service to a host. That, outside the intranet, firewalls should protect from this kind of spoof/attack.
If the problem has to be dealt with inside the firewall and the intranet, then policy should address "malicious acts"and the individuals responsible.
In FreeBSD 2.2.5 and up, the tcp/ip stack does not respond to icmp echo requests destined to broadcast and multicast addresses by default. This behaviour can be changed via the sysctl command via mib net.inet.icmp.bmcastecho.
There is a network attribute called "bcastping" that controls whether or not responses to ICMP echo packets to the broadcast address are allowed. A value of zero turns off responses and a value of one turns them on. The default is zero (i.e., by default AIX version 4 is not vulnerable to the described denial-of-service attack).
Use the following command to check the value of the bcastping attribute:
$ no -o bcastping
Use the following command to turn off responses to ICMP broadcast packets (as root):
# no -o bcastping=0
The "bcastping" attribute does not exist in version 3.
IBM and AIX are registered trademarks of International Business Machines Corporation.
Livingston Enterprises, Inc.
Livingston Enterprises products don't respond to ICMP packets not sent to their own address, but do forward them. They're currently examining the problem to see what kind of solution they can provide.
The NetBSD Project
Under NetBSD you can disable forwarding of directed broadcast packets with this command, as root:
# sysctl -w net.inet.ip.directed-broadcast=0
NetBSD will always respond to broadcast ICMP packets. In the future, NetBSD may allow this to be disabled.
To prevent incoming broadcast packets from entering your network (III. A. 1. in this advisory)
Use the command: ndd -set /dev/ip ip_forward_directed_broadcasts 0
SunOS 4.1.3_U1 and 4.1.4:
Do the following:
Add ``options DIRECTED_BROADCAST=0'' to system configuration file and rebuild kernel
To prevent systems from responding to broadcast ICMP packets (III. A. 2. in this advisory)
Use the command: ndd -set /dev/ip ip_respond_to_echo_broadcast 0
A corresponding variable for ip_respond_to_echo_broadcast does not exist in SunOS 4.1.x.
The CERT Coordination Center thanks Craig A. Huegen. Much of the content in this advisory has been derived from his document on "smurf" attacks. The CERT Coordination Center also thanks Paul Ferguson and Daniel Senie for providing information on network ingress filtering, and John Bashinski of Cisco for his contributions.
This document is available from: http://www.cert.org/advisories/CA-98.01.smurf.html
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
Getting security informationCERT publications and other security information are available from our web site
email@example.com and include SUBSCRIBE your-email-address in the subject of your message.
Copyright 1999 Carnegie Mellon University.
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.
Mar. 13, 2000 Added pointer to RFC2644/BCP34. Aug. 24, 1998 Updated vendor information for Data General Corporation. Aug. 14, 1998 Updated vendor information for Sun Microsystems. Apr. 28, 1998 Updated vendor information for Cisco Systems and Sun Microsystems. Corrected URL for obtaining RFCs Apr. 10, 1998 Updated vendor information for Cisco Systems Feb. 10, 1998 Updates to Appendix A - Vendor Information Jan. 29, 1998 Updated reference to the filtering document (now an RFC) in Section III-C. Jan. 13, 1998 Updated vendor information for NetBSD. Jan. 7, 1998 Updated or added vendor information for Digital Equipment Corporation and Livingston Enterprises, Inc.