What is a smurf attack, plus smurf attack prevention pointers


An overview of what is a smurf attack, the parts that play into smurfing, how it results in DDoS attacks, plus pointers for smurf attack prevention

A smurf attack is a distributed denial-of-service attack (DDoS). It’s named after a malware called DDoS.Smurf, which is used to execute the cyberattack.


Cybersecurity enthusiasts might liken smurf attacks to a ping flood in that it’s carried out by flooding a victim’s computer network with Internet Control Message Protocol (ICMP) Echo Replies. That’s a lot of technical terms, right? 

In the simplest of terms, a smurf attack can overwhelm your computer to a degree that it’s inoperable. Here we’re giving an uncomplicated breakdown of what is a smurf attack, the parts that play into smurfing, plus pointers for smurf attack prevention.

How does a smurf attack work?

Smruf attacks simplified

A smurf attack involves a few active ingredients: 

  • DDoS.Smurf malware to execute the attack,
  • a spoofed IP address, meaning a fake IP address that routes back to the smurf attack victim,
  • and ICMP packets that overwhelm the victim’s network.

To understand how a smurf attack works, you need to understand what an ICMP is. It’s a protocol that diagnoses communications problems across computer networks, including whether data is indeed being communicated, or pinged, between devices. 

In the case of a smurf attack, the DDoS.Smurf malware sends out ICMP Echo Requests to every device on an IP broadcast network and essentially puts a return address on it that’s a spoofed IP address of their victim. This eventually overwhelms their device to a degree that it’s inoperable or inaccessible and results in a DDoS attack. 

For a step-by-step breakdown of how a smurf attack works:

  1. DDoS.Smurf malware creates an ICMP Echo Request coming from a spoofed IP address that routes back to the smurf attack victim.
  2. The ICMP Echo Request is sent to an IP broadcast network that then relays the message to every device on the network, eliciting ICMP Echo Replies.
  3. The devices send ICMP Echo Replies back to the IP broadcast network, indicating the ICMP Echo Request has been received. 
  4. All of the replies are rerouted to the smurf attack victim, resulting in a DDoS attack. 

For a smurf attack example, think of it as someone pulling a prank that they’re throwing a party in your name. The prankster (the DDoS.Smurf malware) puts your return address (the spoofed IP address) on a bunch of fake invitations (ICMP Echo Requests), sends them to the post office (the IP broadcast network) that then mails them out to guests, and, ultimately, you’re inundated with RSVPs (the ICMP Echo Replies). Talk about overwhelming.

The history of smurfing + smurf attack examples

Why is it called a smurf attack

In case you’re still wondering “Why is it called a smurf attack?” A smurf attack is named after the DDoS.Smurf malware that executes a smurf attack. It’s also a nod to fictional “Smurf” characters and how many small forces can cause one big change, similar to botnets

In fact, the DDos.Smurf malware was born about a decade after the TV show. It’s believed to have first been used in the 1990s and created by hacker Dan Moschuk, AKA TFreak. And the first regarded smurf attack was in 1998 on the University of Minnesota, resulting in computers shutting down across the state and even some data loss

Smurf attacks had a relatively short time in the limelight, however, as router manufacturers have eventually disabled default ICMP Echo Replies or allowed for these settings to be configured. 

What are the types of smurf attacks?

There are a few variations of smurf attacks, including the aforementioned ping floods and also Fraggle attacks, which send User Datagram Protocol packets instead of ICMP packets to flood a victim’s networks.

Generally, smurf attacks can be categorized as basic or advanced. And the difference lies in the degree of the DDoS attack that follows.       

  • A basic smurf attack results in a single network being flooded with ICMP Echo Replies.       
  • An advanced smurf attack can impact a third-party victim

What are the effects of smurfing?

As smurf attacks aim to overwhelm networks and devices, at a minimum they will slow down victims’ networks and devices. Oftentimes, though, smurf attacks result in DDoS attacks, which deems networks and devices inaccessible or inoperable. Worse yet, data theft can occur.

For companies, smurf attacks can also cripple servers for days, resulting in losses of revenue and potentially customer satisfaction or loyalty. Thankfully, smurf attacks can be prevented.

Prevention + mitigation methods

How to stop smrufing

Mitigating smurfing attacks is all about protecting your network, and that starts with your router, namely by configuring how your routers and devices interact with ICMP packets. To this end, consider your smurf attack prevention approach twofold in that you should:

  • Disable IP broadcast addressing across all of your network routers.     
  • Configure your routers and devices to not forward or respond to ICMP Echo Requests. 

You might also adjust your firewall to not allow pings from outside of your network. Investing in a new router can help, as well, as these configurations often default on newer devices. 

Fictional “Smurfs” might be adorable, but smurf attacks are not. And even as smurfing might not be considered the most pressing of modern-day cyberattacks, understanding what is smurfing can help you spot and stop similar DDoS attacks. 

Clare Stouffer
  • Clare Stouffer
  • Gen employee
Clare Stouffer, a Gen employee, is a writer and editor for the company’s blogs. She covers various topics in cybersecurity.

Editorial note: Our articles provide educational information for you. Our offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about Cyber Safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses. The Norton and LifeLock brands are part of Gen Digital Inc. 


    Want more?

    Follow us for all the latest news, tips and updates.