Smurf Attack
What is Smurf Attack?
Smurf AttackA legacy amplification DDoS that sends ICMP echo requests to a network's broadcast address with the victim's IP spoofed as the source, causing every host on that network to reply to the victim.
In a Smurf attack the attacker sends ICMP echo-request (ping) packets to the directed broadcast address of one or more networks, forging the source IP as the victim's. Every host on those networks then sends an echo reply to the victim, multiplying a small attack stream into a flood scaled by the number of responders. Smurf was very effective on 1990s Internet topologies where directed broadcasts were widely enabled. Defences are simple but had to be deployed industry-wide: disable IP-directed broadcast (Cisco's no ip directed-broadcast and RFC 2644 default behaviour), perform ingress source-address filtering (BCP 38), and rate-limit ICMP at the edge. With modern defaults, Smurf is largely historical, but conceptually similar broadcast/multicast abuses still surface.
● Examples
- 01
An attacker spoofs the victim's IP and pings the broadcast address of many remote /24 networks; each network multiplies the attack.
- 02
A penetration test discovers an internal router still permitting directed broadcasts, enabling a Smurf-like internal flood.
● Frequently asked questions
What is Smurf Attack?
A legacy amplification DDoS that sends ICMP echo requests to a network's broadcast address with the victim's IP spoofed as the source, causing every host on that network to reply to the victim. It belongs to the Attacks & Threats category of cybersecurity.
What does Smurf Attack mean?
A legacy amplification DDoS that sends ICMP echo requests to a network's broadcast address with the victim's IP spoofed as the source, causing every host on that network to reply to the victim.
How do you defend against Smurf Attack?
Defences for Smurf Attack typically combine technical controls and operational practices, as detailed in the full definition above.