message is then sent to the intermediary, which is actually an entire subnetwork of computers. By sending the ping to the network’s IP broadcast address, the perpetrator ensures that each node on the intermediary network receives the echo request automatically. Consequently, each intermediary node sends echo response to the ping message, which are returned to the victim’s IP address, not that of the source computer. The resulting flood echoes can overwhelm the victim’s computer and cause network congestion that makes it unusable for legitimate traffic. Figure 3.1 illustrates a smurf attack.
The intermediary in a smurf attack is an unwilling and unaware party. Indeed, the intermediary is also a victim and to some extent suffers the same type of network congestion problem the target victim suffers. One method of defeating smurf attack is to disable the IP broadcast addressing option at each network firewall and thus eliminate the intermediary’s role. In response to the move, however, attrackers have developed tools to search for networks that do not disable broadcast addressing. These networks may subsequently be used as intermediaries in smurf attacks. Also, perpetrators have developed tools that enable them to launch smurf attacks simultaneously from multiple intermediary networks for maximum effect on the victim.
Distributed Denial of Service. A distributed denial of service (DDos) attack may take the form a SYN flood or smurf attack. The distinguishing feature of the DDos is the sheer scope of the event. The perpetrator of the DDos attack may employ a virtual army of so-called zombie or bot (robot) computers to launch the attack. Because vast numbers of unsuspecting intermediary are needed, the attacks often involve one or more Internet relay chat (IRC) networks as a source of zombies. IRC is a popular interactive service on the Internet that lets thousands of people from around the world engage in real-time communications via their computer.
The problem with IRC networks is that they tend to have poor security. The perpetrator can thus easily access the IRC and upload a malicious program such as a Trojan horse (see the appendix for a definition), which contains DDos attack script. This program is subsequently downloaded to the PCs of the many thousands of people who visit The IRC site. The attack program runs in the background on the new zombie computers, which are now under the control of the perpetrator. These collections of compromised computers are known as botnets. Figure 3.2 illustrates this technique.
Via the zombie control program, the perpetrator has the power to direct the DDos to specific victims and turn on or off the attack at will. The DDos attack poses a far greater threat to the victim than a traditional SYN flood or smurf attack. For instance, a SYN flood coming from thousands distributed computers can do far more damage than one from a single computer. Also, a smurf attack coming from a subnetwork of intermediary