A smurf begins when a single malicious user sends a stream of Internet
Control Message Protocol, or ping, packets -- used to determine if a=
machine
is alive -- to a target network's central "directed broadcast" address,
which is rarely used, but easily obtained.

This address pings all the machines -- often 255 boxes or more -- on the
target network.

Each of the hundreds of hosts on that target network will dutifully respond
with a "yes, I'm here" answer packet back to what they understand to be the
ping's origin address. But the cracker has forged the source address of the
originating ping packets.

"The (faked originating address) is the poor hapless victim of the smurf,"
explained Nielsen. Instantly, the target network is hopelessly clogged, as
Nielsen outlined with a typical smurf scenario.

"Assume that someone on a 28.8K modem can safely send out 337 64-byte ping
packets ... per second," said Nielsen. "When sent to a fully loaded
broadcast network ... this becomes 85,261 packets, or 5.45MB of data per
second."

"That's easily enough to kill off a T1 (very high-speed Internet line),"
said Nielsen. "If the person originates the smurf from a faster link, and
uses multiple relay networks, they can easily kill off a full 45 megabit=
(or