Network-Based Denial of Service Attacks

Craig A. Huegen <chuegen@cisco.com>

NANOG 13 5

“Smurf” and “Fraggle”

•Very dangerous attacks

Network-based, fills access pipes

Uses ICMP echo/reply (smurf) or UDP echo (fraggle) packets with broadcast networks to multiply traffic

Requires the ability to send spoofed packets

•Abuses “bounce-sites” to attack victims

Traffic multiplied by a factor of 50 to 200

Low-bandwidth source can kill high-bandwidth connections

•Similar traffic content to ping, UDP flooding but more dangerous due to traffic multiplication









	•The “Smurf” and “Fraggle” attacks are two of the most severe Denial of Service attacks found today, because they allow a user with relatively low bandwidth to generate a very large amount of bogus traffic towards a remote network.
	•They utilize IP directed broadcasts in combination with echo protocols and spoofed packets in order to generate multiplied traffic streams.
	•There are two victims:
		•The intended victim, who receives a large amount of traffic from intermediate sites
		•The intermediate sites, or “bounce sites” used to multiply the traffic streams
	•The attacks are similar in nature to traditional ping and UDP flooding, except that ping and UDP flooding require that the perpetrator have more bandwidth than the target he/she is attacking. Smurf and Fraggle allow the multiplication of traffic through the broadcast mechanism and therefore only require that the sites used to multiply the traffic have enough hosts to increase the factor by which the traffic streams are multiplied.