Tuesday, November 30, 2010

Simulating a Smurf attack with Scapy

Wikipedia says..
The Smurf attack is a way of generating significant computer network traffic on a victim network. This is a type of denial-of-service attack that floods a target system via spoofed broadcast ping messages.

This attack relies on a perpetrator sending a large amount of ICMP echo request (ping) traffic to IP broadcast addresses, all of which have a spoofed source IP address of the intended victim.

If the routing device delivering traffic to those broadcast addresses delivers the IP broadcast to all hosts, most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply, multiplying the traffic by the number of hosts responding.

To simulate a Smurf attack we need to do the following..

1. Install Scapy

On Mac this is how you do it..

On Ubuntu : sudo apt-get install python-scapy

2. Send a large amount of ICMP request to the broadcast address of the victim network(Directed Broadcast Address).

3. Source IP of the attacker must be spoofed.

As per [2] when we send a ICMP request with a spoofed IP been set to the broadcast IP of the network, the server will broadcast the ICMP response to the entire network..

In the following example with Scapy, we are not using a broadcast IP - instead using an IP address of a different machine in the network.

Target machine IP : 192.168.2.11
Server machine IP : 192.168.2.10

From the attackers machine, I start Scapy;

$ sudo scapy

Then type the following - you can see the source IP been spoofed to the target machine IP.

>>> send(IP(src="192.168.2.11", dst="192.168.2.10")/ICMP())

That's it - since we want to confirm the response from the server, 192.168.2.10 goes to 192.168.2.11 - I am also running scapy there too..

$ sudo scapy

>>> a=sniff(filter="icmp and src 192.168.2.11")

The above will trace ICMP traffic targeting 192.168.2.11 - after sometime press Ctrl+C and type the following on the target machine..

>>> a.nsummary()
0000 Ether / IP / ICMP 192.168.2.11 > 192.168.2.10 echo-request 0

Smurf attacks can be prevented by,

1. Configuring the individual hosts and routers not to respond to ping requests.
2. Configuring routers not to forward packets directed to broadcast addresses.