What is an ICMP Flood Attack?
An Internet Control Message Protocol (ICMP) flood attack, also known as a Ping flood attack, is a common Denial-of-Service (DoS) attack in which an attacker attempts to overwhelm a targeted device with ICMP echo-requests (pings). Normally, ICMP echo-request and echo-reply messages are used to ping a network device in order to diagnose the health and connectivity of the device and the connection between the sender and the device. By flooding the target with request packets, the network is forced to respond with an equal number of reply packets. This causes the target to become inaccessible to normal traffic.
Others types of ICMP request attacks may involve custom tools or code, such as hping and scapy. Attack traffic that emanates from multiple devices is considered Distributed-Denial-of-Service (DDoS) attack. In this type of attack, both incoming and outgoing channels of the network are overwhelming, consuming significant bandwidth and resulting in a denial of service.
What Are the Signs of an ICMP Flood Attack?
An ICMP flood attack requires that the attacker knows the IP address of the target. Attacks can be separated into three categories, determined by the target and how the IP address is resolved:
- Targeted local disclosed – In this type of attack, a ping flood targets a specific computer on a local network. In this case, the attacker must obtain the IP address of the destination beforehand.
- Router disclosed – Here, a ping flood targets routers with the objective of interrupting communications between computers on a network. In this type of attack, the attacker must have the internal IP address of a local router.
- Blind ping – This involves using an external program to reveal the IP address of the target computer or router before launching an attack.
Why Are ICMP Flood Attacks Dangerous?
Because an ICMP flood attack overwhelms the targeted device’s network connections with bogus traffic, legitimate requests are prevented from getting through. This scenario creates the danger of DoS, or in the case of more concerted attack, DDoS. What makes this volumetric attack vector even more dangerous is that in the past, attackers would spoof a false IP address in order to mask the sending device. But with today’s sophisticated botnet attacks (especially IoT-based bots), the attackers don’t even bother masking the bot’s IP. Instead, they utilize an extensive network of un-spoofed bots to overwhelm the target server.
How to Mitigate and Prevent an ICMP Flood Attack?
Preventing an ICMP flood attack can be accomplished by disabling the ICMP functionality of the targeted router, computer or other device. By setting your perimeter firewall to block pings, you can effectively prevent attacks launched from outside your network. It’s important to note that this approach won’t prevent internal attacks. Also, when using IPv6, some ICMPv6 messages have to be permitted in order to maintain normal operations.
While eliminating the processing of the request and the Echo Reply will stop ICMP attacks, it will also make the device unresponsive to ping requests, traceroute requests, and other network activities, thus limiting the ability to diagnose server issues.
Another approach to combating ICMP attacks is to rate limit the processing of incoming ICMP messages; alternatively limit the allowed size of the ping requests.