MikroTik ICMP Smurf Attack & Prevention

Another type of attack that I would like to explore about it, is called ICMP Smurf attack.

What happens in this attack is that the attacker will send a large amount of Internet Control Message Protocol (ICMP ping request) to the broadcast address of the network, and he will spoof the IP address of the victim showing that those pings are coming from the victim IP address.

As you know, if you send ping to a broadcast address, then all network devices which are in that network will receive the ping and will do the ping reply. In our case, the ping reply will go to the spoofed IP address which in our case will be the MikroTik router.

The hacker has used the IP address of R1 to be the source IP of the ping and he has sent it as a broadcast destination, this way all PCs will get it and answer back by a ping reply to R1 causing a type of DOS attack and the router to not be functional anymore.

Now we know the theory behind it, let’s apply it in a LAB to do the attack then we do the mitigation.

LAB: ICMP Smurf Attack & Prevention

I still have the same scenario as before. Let’s say that the attacker could in a way discover your LAN network address, and he could reach your WAN public IP over the internet (considering there is a LAN network connected to R1).

Let’s see how the attacker can run the ICMP Smurf attack:

The command on Kali Linux is as following:

hping3 –icmp –flood –rand-source -c 20000 –spoof 172.80.80.1 172.80.80.255

The command means that I am issuing an ICMP flood attack coming from random sources, but the reply has to go to the victim which has the IP address 172.80.80.1 (that’s the spoofed IP) and the ICMP flood goes to the destination broadcast network 172.80.80.255.

Doing so, all devices in the LAN will receive the massive number of ICMP and will do a ping reply to the victim device which is R1.

Let see what has happened to the router once we launched the attack: