What is an ICMP Flood DDoS Attack?

What is an ICMP Flood DDoS Attack?

An Internet Control Message Protocol (ICMP) flood DDoS attack, also known as a Ping flood attack, is a common Denial-of-Service (DoS) attack in which an attacker attempts to overwhelm a targeted device with ICMP echo-requests (pings). Normally, ICMP echo-request and echo-reply messages are used to ping a network device in order to diagnose the health and connectivity of the device and the connection between the sender and the device. By flooding the target with request packets, the network is forced to respond with an equal number of reply packets. This causes the target to become inaccessible to normal traffic.

Others types of ICMP request attacks may involve custom tools or code, such as hping and scapy. Attack traffic that emanates from multiple devices is considered Distributed-Denial-of-Service (DDoS) attack. In this type of DDoS attack, both incoming and outgoing channels of the network are overwhelming, consuming significant bandwidth and resulting in a denial of service.

What Are the Signs of an ICMP Flood Attack?

What Are the Signs of an ICMP Flood DDoS Attack?

An ICMP flood DDoS attack requires that the attacker knows the IP address of the target. Attacks can be separated into three categories, determined by the target and how the IP address is resolved:

  • Targeted local disclosed – In this type of DDoS attack, a ping flood targets a specific computer on a local network. In this case, the attacker must obtain the IP address of the destination beforehand.
     
  • Router disclosed – Here, a ping flood targets routers with the objective of interrupting communications between computers on a network. In this type of DDoS attack, the attacker must have the internal IP address of a local router.
     
  • Blind ping – This involves using an external program to reveal the IP address of the target computer or router before launching a DDoS attack.
Why Are ICMP Flood Attacks Dangerous?

Why Are ICMP Flood DDoS Attacks Dangerous?

Because an ICMP flood DDoS attacks overwhelm the targeted device’s network connections with bogus traffic, legitimate requests are prevented from getting through. This scenario creates the danger of DoS, or in the case of more concerted attack, DDoS. What makes this volumetric attack vector even more dangerous is that in the past, attackers would spoof a false IP address in order to mask the sending device. But with today’s sophisticated botnet attacks (especially IoT-based bots), the attackers don’t even bother masking the bot’s IP. Instead, they utilize an extensive network of un-spoofed bots to overwhelm the target server.

How to Mitigate and Prevent an ICMP Flood Attack?

How to Mitigate and Prevent an ICMP Flood DDoS Attack?

Preventing an ICMP flood DDoS attack can be accomplished by disabling the ICMP functionality of the targeted router, computer or other device. By setting your perimeter firewall to block pings, you can effectively prevent attacks launched from outside your network. It’s important to note that this approach won’t prevent internal attacks.  Also, when using IPv6, some ICMPv6 messages have to be permitted in order to maintain normal operations.

While eliminating the processing of the request and the Echo Reply will stop ICMP attacks, it will also make the device unresponsive to ping requests, traceroute requests, and other network activities, thus limiting the ability to diagnose server issues.

Another approach to combating ICMP attacks is to rate limit the processing of incoming ICMP messages; alternatively limit the allowed size of the ping requests.

How Could an Attack like a Ping Flood be Harmful to an Entire Network?

Because a Ping Flood attack overwhelms the targeted device’s network connections with bogus traffic, legitimate requests are prevented from getting through. This scenario creates the danger of DoS, or in the case of more concerted attack, DDoS.

How can NETSCOUT help?

NETSCOUT's Arbor DDoS solution has been protecting the world’s largest and most demanding networks from DDoS attacks for more than a decade. We strongly believe that the best way to protect your resources from modern DDoS attacks is through a multi-layer deployment of purpose-built DDoS mitigation solutions.

Only with a tightly integrated, multi-layer defense can you adequately protect your organization from the full spectrum of DDoS attacks.

Arbor Cloud

Tightly integrated, multi-layer DDoS protection

Arbor Edge Defense

On-Premises

Arbor SP/Threat Mitigation System

High Capacity On-Premise Solution for Large Organizations

NETSCOUT customers enjoy a considerable competitive advantage by getting both a micro view of their own network, via our products, combined with a macro view of global Internet traffic, via NETSCOUT Omnis Threat Horizon, an interface to our ATLAS threat intelligence and a DDoS Attack Map visualization.