There are always three parties to a smurf attack: - the hacker
- the amplifier
- the victim
The hacker sends a single packet to the amplifier. The amplifier sends many packets back to the victim. The reason the amplifier does so is because it has been misconfigured to forward directed broadcasts. For example, let us assume that a customer has been assigned the network address range 192.0.2.0 through 192.0.2.255. If you ping an IP address within that range, you ping that single node. For example, if you ping the IP address 192.0.2.123, you should get back a single response from that IP address. However, if you ping the IP address 192.0.2.255, you are actually sending what is known as a directed broadcast. Your machine (and all routers up to the customer) do not know the difference, but when the customer's router receives the packet, it thinks it should broadcast that packet to everyone in the range.
There are two things that make an amplifier:
- A misconfigured router that broadcasts packets to its subnet.
- Machines that will respond to pings/echoes to that broadcast address.
Hackers regularly scan the Internet looking for smurf amplifiers. They publish the results in catalogues on websites.
