Emerging Threats

What is a smurf attack, plus smurf attack prevention pointers

a man with glasses and a denim shirt stares at a laptop screen, contemplating a potential smurf attack that’s on it

September 1, 2021

A smurf attack is a distributed denial-of-service attack (DDoS). It’s named after a malware called DDoS.Smurf, which is used to execute the cyberattack.

Cybersecurity enthusiasts might liken smurf attacks to a ping flood in that it’s carried out by flooding a victim’s computer network with Internet Control Message Protocol (ICMP) Echo Replies. That’s a lot of technical terms, right? 

In the simplest of terms, a smurf attack can overwhelm your computer to a degree that it’s inoperable. Here we’re giving an uncomplicated breakdown of what is a smurf attack, the parts that play into smurfing, plus pointers for smurf attack prevention.

How does a smurf attack work?

illustrations of computers, an IP broadcast network, and envelopes underscore how a smurf attack works

A smurf attack involves a few active ingredients: 

  • DDoS.Smurf malware to execute the attack,
  • a spoofed IP address, meaning a fake IP address that routes back to the smurf attack victim,
  • and ICMP packets that overwhelm the victim’s network.

To understand how a smurf attack works, you need to understand what an ICMP is. It’s a protocol that diagnoses communications problems across computer networks, including whether data is indeed being communicated, or pinged, between devices. 

In the case of a smurf attack, the DDoS.Smurf malware sends out ICMP Echo Requests to every device on an IP broadcast network and essentially puts a return address on it that’s a spoofed IP address of their victim. This eventually overwhelms their device to a degree that it’s inoperable or inaccessible and results in a DDoS attack. 

For a step-by-step breakdown of how a smurf attack works:

  1. DDoS.Smurf malware creates an ICMP Echo Request coming from a spoofed IP address that routes back to the smurf attack victim.
  2. The ICMP Echo Request is sent to an IP broadcast network that then relays the message to every device on the network, eliciting ICMP Echo Replies.
  3. The devices send ICMP Echo Replies back to the IP broadcast network, indicating the ICMP Echo Request has been received. 
  4. All of the replies are rerouted to the smurf attack victim, resulting in a DDoS attack. 

For a smurf attack example, think of it as someone pulling a prank that they’re throwing a party in your name. The prankster (the DDoS.Smurf malware) puts your return address (the spoofed IP address) on a bunch of fake invitations (ICMP Echo Requests), sends them to the post office (the IP broadcast network) that then mails them out to guests, and, ultimately, you’re inundated with RSVPs (the ICMP Echo Replies). Talk about overwhelming.

The history of smurfing + smurf attack examples

a magnifying glass hovers over a bug on a computer screen, indicating a type of malware has been identified and it could be a smurf attack

In case you’re still wondering “Why is it called a smurf attack?” A smurf attack is named after the DDoS.Smurf malware that executes a smurf attack. It’s also a nod to fictional “Smurf” characters and how many small forces can cause one big change, similar to botnets

In fact, the DDos.Smurf malware was born about a decade after the TV show. It’s believed to have first been used in the 1990s and created by hacker Dan Moschuk, AKA TFreak. And the first regarded smurf attack was in 1998 on the University of Minnesota, resulting in computers shutting down across the state and even some data loss

Smurf attacks had a relatively short time in the limelight, however, as router manufacturers have eventually disabled default ICMP Echo Replies or allowed for these settings to be configured. 

What are the types of smurf attacks?

There are a few variations of smurf attacks, including the aforementioned ping floods and also Fraggle attacks, which send User Datagram Protocol packets instead of ICMP packets to flood a victim’s networks.

Generally, smurf attacks can be categorized as basic or advanced. And the difference lies in the degree of the DDoS attack that follows.       

  • A basic smurf attack results in a single network being flooded with ICMP Echo Replies.       
  • An advanced smurf attack can impact a third-party victim

What are the effects of smurfing?

As smurf attacks aim to overwhelm networks and devices, at a minimum they will slow down victims’ networks and devices. Oftentimes, though, smurf attacks result in DDoS attacks, which deems networks and devices inaccessible or inoperable. Worse yet, data theft can occur.

For companies, smurf attacks can also cripple servers for days, resulting in losses of revenue and potentially customer satisfaction or loyalty. Thankfully, smurf attacks can be prevented.

Prevention + mitigation methods

a router and a computer screen are associated with two tips to prevent smurf attacks

Mitigating smurfing attacks is all about protecting your network, and that starts with your router, namely by configuring how your routers and devices interact with ICMP packets. To this end, consider your smurf attack prevention approach twofold in that you should:

  • Disable IP broadcast addressing across all of your network routers.     
  • Configure your routers and devices to not forward or respond to ICMP Echo Requests. 

You might also adjust your firewall to not allow pings from outside of your network. Investing in a new router can help, as well, as these configurations often default on newer devices. 

Fictional “Smurfs” might be adorable, but smurf attacks are not. And even as smurfing might not be considered the most pressing of modern-day cyberattacks, understanding what is smurfing can help you spot and stop similar DDoS attacks. 

Editorial note: Our articles provide educational information for you. NortonLifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.

Copyright © 2022 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Alexa and all related logos are trademarks of, Inc. or its affiliates. Microsoft and the Window logo are trademarks of Microsoft Corporation in the U.S. and other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.