Smurf is a simple attack based on IP spoofing and broadcasts. A single packet (such as an ICMP Echo Request) is sent as a directed broadcast to a subnet on the Internet. All the machines on that subnet respond to this broadcast. By spoofing the source IP address of the packet, all the responses will get sent to the spoofed IP address. Thus, a hacker can often flood a victim with hundreds of responses for every request the hacker sends out. There is not much the victim can do, because the incoming link is being overloaded. However, the victim does known the subnet number of the amplifier, and should contact the owner to tell them to turn off amplification (i.e. enable filtering of ICMP Echoes).
IRC servers are the primary victim to smurf attacks. Script-kiddies run programs that scan the Internet looking for "amplifiers" (i.e. subnets that will respond). They compile lists of these amplifiers and exchange them with their friends. Thus, when a victim is flooded with responses, they will appear to come from all over the Internet.
On IRCs, hackers will use bots (automated programs) that connect to IRC servers and gather a victim's IP address. The bots then send the forged packets to the amplifiers to inundate the victim.
The owner of the amplifier is also a victim in this attack. They can easily defend against the attack by filtering the incoming broadcasts.
The hacker is able to saturate the links and gateways leading to the inundated victim, thus no firewall can really protect the victim. The only real defense is to trace back to the amplifiers and contact those system administrators.
The attack is named "smurf" after a popular program that generates the attack.
Fraggle, a variant uses UDP instead of ICMP. In this case, the ports echo, chargen, daytime, qotd are used to trigger responses. These ports are also susceptible to pingpong attack, and should be turned off.
