Gap
Advanced
- Joined
- 14.09.20
- Messages
- 139
- Reaction score
- 1,113
- Points
- 93
Smurf Attack
A smurf attack uses Internet Control Management Protocol (ICMP) to send a broadcast ping with a spoofed source address. It’s easier to understand this by looking at one step at a time.- Normal ping. A regular ping sends one or more ICMP echo requests to a system and the system responds with one or more ICMP echo replies. This provides verification the remote system is operational. A regular ping uses unicast. In other words, the ICMP packet is addressed to one system from one system.
- Broadcast ping. A broadcast ping is not normal. It sends the ICMP echo request to a broadcast address sending it to virtually all systems on the network. Each system will then respond to the system that sent it flooding this system with ICMP echo replies.
- Spoofed source broadcast ping. The smurf attack spoofs the source address with the address of the victim, and then sends it out as a broadcast ping. Each system on the network will then respond, and flood the victim with echo replies.
Fraggle Attack
Fraggle attacks are similar to smurf attacks but instead of using ICMP, they use UDP ports 7 and 19.As described earlier, the ping command uses ICMP and it is used to check if a system is operational. Tools are available that use UDP instead of ICMP and instead of checking to see if a system is operational, they check to see if the system is listening on a specific port. This is commonly done with many different types of vulnerability scanners used by both attackers and security administrators.
A system listens on either TCP or UDP port 19 (known as the chargen port) for chargen requests. When a connection is established to this port, the system would respond with a constant stream of characters to the original system. Typically the original system would use TCP or UDP port 7 (known as the echo port) but this isn’t required. When the original system begins receiving the characters, it knows the target system is operational, and closes the connection.
In a fraggle attack, a spoofed broadcast packet is sent to port 19. The spoofed address is the address of the victim. Since it is broadcast, it goes to every system on the network. If port 19 is open and the character generator service is running on these systems, they will send a stream of characters to the victim.
Realistically, systems today will not have port 7 open or the chargen service running on port 19. Additionally, routers do not pass broadcasts so any attacks are limited to a single network. Said another way, it is very unlikely you will ever see a fraggle attack today.
