Magnification Attacks: Smurf, Fraggle, and Others
A magnification attack (sometimes, albeit incorrectly1 referred to as a broadcast storm) is a denial of service attack that relies on the ability of a carefully crafted request packet to generate more than one packet in response. The multiplication effect of these attacks make it possible for an attacker with limited bandwidth to generate a packet stream much larger than would normally have been possible. By directing this stream at a target with limited bandwidth, it is possible to saturate their network connection, effectively denying service.
There are many possible ways to amplify a packet stream. This paper will look at common ways of achieving this goal using ICMP, UDP, and Application-based traffic.
ICMP Packet Magnification – Smurf
Overview
An ICMP magnification attack (or Smurf) uses ICMP Echo (ping) packets to generate multiple ICMP Echo Replies. By constructing an ICMP Echo request with a spoofed source address (the target), and a broadcast-directed destination, a single ICMP Echo packet could potentially generate an ICMP Echo Response from each host on a given subnet. An attacker with a fast connection can use this multiplication effect to completely saturate the bandwidth of the target host. We used to see this type of traffic from our Internet Service Provider quite regularly.
There are three parties involved in an ICMP magnification.
- The Attacker, who generates spoofed ICMP packets on a given subnet
- The Intermediates, who's network hosts reply to the packets, and contribute to the magnification, and
- The Target, who received ICMP echo replies from the Intermediates.
How to Avoid It
If you find yourself the target of an ICMP magnification attack (or Smurf), there's unfortunately not much you can do. Though it is possible to block the offending packets at your external router, the bandwidth upstream of that router will remain blocked. It takes coordination with your upstream provider to block the attacks at the source.
To prevent someone at your site from initiating a Smurf attack, configure your external router to block all outbound packets from your site that indicate a source address not contained within your subnet block. If the spoofed packet can't get out, it can't do much harm.
To avoid being an intermediary, and contributing to somebody else's Denial of Service attempt, configure your router to block all network-prefix-directed broadcast packets. That is, disallow broadcast ICMP packets in through your router. This will allow you to retain the ability to perform a broadcast-directed ping inside your network (which is occasionally useful for diagnostic purposes), while eliminating an outsider's ability to exploit this behaviour. If you're truly worried, you may also with to configure your host machines to ignore ICMP broadcasts entirely.
UDP Packet Magnification – Fraggle, Pingpong
Overview
A UDP magnification attack relies on the existence of several standard, but generally unused UDP services:
- The chargen (character generation) service. This is a UDP port that, when connected to, generates a constant stream of data, and
- The echo service. This is a UDP port that simply echos the source packet (with source and destination addresses reversed).
If you are running these services, you may find yourself the victim of a UDP magnification attack.Though these types attacks are generally less serious than their ICMP cousins, they can cause performance degradation and service denial.
There are several ways to generate UDP packet storms 2. For instance, sending a spoofed UDP packet to the chargen port on an intermediate system with the source address set to a broadcast address will cause a packet multiplication. On many systems, the source port can also be set to the echo port. This will cause a ping-pong of sorts between the chargen and the echo ports. If this process is repeated with multiple hosts (all directed to a single echo host, for instance), a large traffic stream can be generated.
How to Avoid It
Disable all unnecessary UDP services (including daytime, chargen, and echo) on host machines. As a general rule: if you don't need it, disable it. Also, block UDP requests to low-numbered ports originating from non-ephemeral (ports 1024 and below) port numbers at your external router.
Application Packet Magnification – NetQuake
Overview
Unfortunately, broadcast storms aren't limited to the ICMP and UDP protocols. Any network-based application that generates multiple responses to a single packet can be used for this purpose. A good example of this was seen recently involving NetQuake servers. If an appropriately formed Hello3 packet is sent to a NetQuake servers, the server will respond with a series of Connect attempts, approximately one per second. If sent from a spoofed (target) address, and sent to the approximately 400 NetQuake servers out there, a sustained UDP stream can be generated.
This technique can be applied to any network application that assists in this multiplication effect.
How to Avoid It
Unfortunately (but somewhat expectedly), avoidance of application-based packet magnification is application specific. One simple workaround is to block the troublesome packets at your router (if your security policy does not allow game playing over the network, for instance). Chances are, however, if you start experiencing an application-based magnification attack, you'll quickly find a way to block it. Again, cooperation with your upstream provider is very helpful in cases like these.
Summary
Magnification attacks, such as Smurf and Fraggle make use of intermediate hosts to generate large amounts of network traffic. By directing this traffic at a specific target, network saturation and denial of service may occur. By configuring your network to block troublesome packets, you can avoid becoming an intermediary in these attacks.
1. A true broadcast storm is a self-sustaining (and magnifying) event. It is akin to the mousetrap and ping-pong ball model that is often used to describe a nuclear chain reaction (if you have no idea what I'm talking about, feel free to write). This type of attack is also referred to as a network food fight. Most magnification attacks simply generate a finite number of packets for each one sent by an attacker.
2. UDP, on the other hand, is much more like a traditional broadcast storm, as a single packet can cause a self-sustaining packet loop (ping-pong).
3. No. The packet doesn't really contain the string “hello”. You understand what I mean, though.
Kjell Wooding