Smurf DDoS attack:❗️ How it works and how to mitigate

Ivan Novikov
4 min readAug 27, 2021

Attacks geared at denying users access to servers are executed in different ways. One notable approach — similar in many forms of service denials — is the use of volume. The sheer volume of requests is employed by attackers to render a particular network useless. A good representation of that is the subject of discourse in this context.

These are attacks that overload a server with Ping requests. It leverages the volume limit of servers and the features of broadcast networks. It uses these two means to amplify the extent of the normal damage. They get their name from a malicious program named DDoS SMURF.‍

Smurf Attack Scenario

It looks very close to ping attacks considering the manner of execution. However, there is a difference in the target feature that is exploited. Generally, the attacker sends a ping (ICMP echo) and rides on the automated server-host response. This is done at a bandwidth larger than the predetermined coverage of the targeted server.

To be able to further grasp the technical part of SMURF attacks, here is a breakdown of how it works:

  1. The attacking malware — SMURF — is used to create fake pings. This ping definitely needs a source. The attacker uses a fake source — that is, they engineer a new source under the guise of legitimacy.
  2. The generated ping is sent to a network by which an IP broadcasts packets. This serves as an intermediary.
  3. This network naturally transmits to all the devices on its radar.
  4. As expected of a normal host-server response, all the networks send a response to the faked address.
  5. When too many simultaneous responses are sent to the server in question. It is, therefore, unable to function.

The determinant of the volume of pings is the broadcast framework of the IP that is employed by attackers as an intermediary. The number of responses the attacked server receives is a direct function of the number of the framework capacity of the IP. That is, if the broadcast has 2000 networks on its radar, then the target server gets a response from 2000 networks.

Types of Smurfs DDoS Attacks

They are classified based on how sophisticated their execution is. Considering this, two types exist; the basic and the advanced attacks.

The Basic Attack — In this type, the assaulted network discovers itself among many ping packet requests. The packet used in this attack has a fake source that is linked to the broadcast framework of that potential victim. The echo that would be potentially generated from the answers of the devices on the radar of broadcast automatically renders the victim network non-functional. All these are subject to the correct dispersion of the broadcast. In the event where the packets are not properly dispersed, the attack would not function

The Advanced Smurf Attack — In this type, there is there are victims that suffer collateral damage from the attack. These victims are termed third-party victims. This approach works by making a third-party victim a source of the game plan. This allows attackers to be able to work without interruption due to the stability of the route through to the internet. The goal is to access certain systems linked to their initial target. That way, they do not just tamper with the functionality of the target alone, they also get to tamper with a larger subsection of the internet.‍

How to Mitigate Smurf DDoS Attack?

Surprisingly for those interested in how to stop Smurf attacks, it does not require any complicated or flashy move. It works by a combined function of filtering between pings (ICMP packet requests) and an over-provisioning method. The combination of this allows administrators to identify possible requests from spoofed sources and erase them without interfering with the normal functions of the server in question.

In the case of an attack, here are the damage control protocols you could use:

  1. Immediately restrict the attacked structure or server from getting requests from any broadcast framework. This automatically allows the server to have time to get rid of the load.
  2. After this, you have to re-program the hosts not to answer the perceived threatening requests.


Overall standard network security protocols may or may not be effective against these attacks. However, as an administrator, it is important that you put the necessary oversight mechanism to prevent such occurrence.

Read our article “ How to Stop a DDoS Attack

Originally published at



Ivan Novikov

CEO at Wallarm. Application security platform to prevent threats and discover vulnerabilities in a real-time.