ICMP Attacks: Everything You Need To Know

It is no surprise that hackers strive to find a weakness in everything, from simple software to the most fundamental protocols that underpin the structure of the Internet as we know it. As one of the essential components of the Internet protocol stack, Internet Control Message Protocol (ICMP), acts as a global message carrier, conveying vital information about the state of the network devices and whole networks that form the worldwide web.

Although an invaluable communication tool, ICMP becomes a potential avenue for attackers to harness the weaknesses inherent in its design. Exploiting the trust network devices place in ICMP messages, malicious actors attempt to circumvent security systems deployed by the victim’s host, causing disruptions to network operations, which can ultimately result in denial of service.

As a distinct group of denial-of-service attacks, ICMP attacks are no longer a primary tool in the attacker’s toolbox. However, they continue wreaking havoc on online businesses. Ping flood attacks, smurf attacks, and the so-called ping of death – all of those are different variations of ICMP attacks that can still pose a threat to network operations worldwide.

In this guide to ICMP attacks, you will learn what ICMP is and how hackers use it to cause denial of service to servers and whole networks. We will delve into the mechanisms underlying ICMP attacks to equip you with the necessary knowledge and tools to protect your business from the harm they pose.

What is ICMP?

Internet Control Message Protocol, or ICMP, is a network protocol used by network devices to communicate operational information to one another. While ICMP is often considered part of the IP protocol as its messages are carried as IP payload, Internet Control Message Protocol lies above and is specified as an upper-layer protocol in IP datagrams. However, its activity is still confined to the Internet protocol suite’s third layer, Network Layer.

Each ICMP message has a type and a code field that specify the type of information it conveys and its purpose, as well as a part of the original request that caused the message to be generated. For example, if the destination host was unreachable, the router that failed to pass the original request to it will generate an ICMP type three code one message letting you know it could not find a path to the server you specified.

What is ICMP Used For?

Often, ICMP is used to handle error reporting when the destination network or end system can’t be reached. Error messages such as “Destination network unreachable” originate in ICMP and will be shown to you if your request never completed its intended journey. The ICMP message includes a portion of the original request, so the system will easily map it to the right destination.

Although error reporting is one of the primary applications of Internet Control Message Protocol, ICMP underpins the functionality of two fundamental network diagnostic tools — ping and traceroute. Both utilities are widely used for testing network connectivity and tracing the pathway to remove networks and end systems. While ping and traceroute are often used interchangeably, their operational methods differ significantly.

Ping and Traceroute

Ping sends a series of ICMP messages of the echo request type, expecting echo replies from the destination host. Ping will report no packet loss between the source and destination systems if each request receives a response. Similarly, if some messages never reach their destination due to network congestion, the utility will report those packets as lost.

Traceroute has a more complex mechanism and was created for a different purpose. Instead of sending echo requests to the intended host, it sends out a burst of IP packets that should expire once they reach the intended destination. This way, the receiving router or host will be forced to generate the Time to Live (TTL) expired ICMP message that will be sent back to the source. Having received ICMP response messages for each original packet, Traceroute will have the names of the packet switches that form the route to the destination host, along with the time it took the original packets to reach each of them.

What Makes ICMP Easy to Exploit?

As ICMP is limited to the network layer of the Open Systems Interconnection (OSI) model, its requests do not require a connection to be established before being transmitted, which is the case with the three-way handshake introduced by TCP and amplified by TLS with the use of SSL/TLS certificates. This makes it possible to send ping requests to any system, making it easy to exploit.

As you can see, although ICMP has proven itself as an invaluable component of the global network, it has also attracted the attention of cybercriminals who want to use it for malicious purposes. Malicious actors exploit weaknesses present in the implementation of ICMP to disrupt networks and individual hosts. Performing ICMP attacks, hackers transform ICMP from a vital network diagnostic tool to a root cause of network outages.

ICMP Attacks as a Less Dangerous Type of Denial of Service (DoS)

ICMP attacks exploit the capabilities of Internet Control Message Protocol to overwhelm targeted networks and devices with requests, causing the so-called bandwidth flooding, a form of denial of service (DoS) that aims to exhaust the victim’s ability to handle incoming traffic. An ICMP attack can be defined as a denial of service attack that uses ICMP messages as its primary tool to disrupt network operations.

ICMP attacks are often considered less dangerous and easier to defend from than most denial-of-service attacks. While ICMP attacks can still cause significant damage, they are typically simpler to detect and mitigate for a few reasons:

• ICMP attacks focus on the network layer. ICMP operates at a lower level of the Internet protocol stack, and ICMP messages carry a smaller payload than data-heavy payloads used in other denial-of-service attacks. This makes it easier to identify malicious ICMP traffic.
• ICMP attacks display distinctive patterns. Malicious ICMP messages often exhibit distinctive patterns, such as a deluge of echo requests from the same sender or specific error messages.
• ICMP traffic is easier to limit. Network administrators can limit or even fully disable incoming and outgoing ICMP traffic, which will not cause any noticeable disruption to normal operations.

3 Main Types Of ICMP Attacks

The three main types of ICMP attacks include ping flood, Smurf attacks, and ping of death attacks. Each uses distinct mechanisms, but the main difference is the types of ICMP messages cybercriminals use.

As we discussed, except for the Ping utility that generates echo requests and directs them toward the destination, ICMP messages are usually generated by the destination system to alert the source of a certain issue. This way, instead of directing an outburst of ICMP packets toward a victim’s system, attackers can utilize more sophisticated techniques, such as making the victim of the attack the attacker in another victim’s eyes.

Let’s take a closer look at each of the three most prevalent types of ICMP attacks and see how they caused massive disruption to the Internet before prominent defensive mechanisms were widely introduced.

Ping Flood

Ping flood is the simplest and most prevalent variation of an ICMP attack, in which malicious actors direct excessive echo requests to the victim system or network. Cybercriminals target the destination host’s bandwidth by simulating the Ping utility’s normal activity.

With a deluge of ICMP requests sent in the same direction, the target’s access link becomes clogged, successfully preventing legitimate traffic from getting through to the destination. As an ICMP echo reply message is expected per each echo request, a ping flood attack can significantly increase CPU usage, slowing down the end system and causing full denial of service.

As with any other type of DoS, malicious actors can employ multiple hosts to carry out a ping flood attack, turning it into a distributed denial of service (DDoS) attack. Not only does using multiple attack sources amplify the effects of the attack, but it also helps the attacker avoid discovery and hide its identity.

Distributed denial of service attacks typically harness botnets – networks of compromised endpoints and network devices controlled by the attacker. Botnets are created and expanded by infecting the victim’s device with a special type of malware, enabling the botnet owner to control the compromised system remotely. Once instructed, the infected device will start overwhelming the target of the ping flood attack with ICMP echo request messages without the knowledge or consent of the rightful owner.

One of the most famous large-scale ping flood attacks occurred in 2002. Cybercriminals leveraged a botnet to direct truckloads of ICMP echo request messages to each of the thirteen DNS root name servers. Fortunately, as the packet switches behind the name servers were already configured to discard all incoming ping messages, the attack had little to no impact on the global internet experience.

Smurf Attack

Smurf attacks turn the victim into the perceived attacker by making it look like ICMP echo requests came from a different source. Spoofing the sender address, attackers direct many ICMP messages to a network or network of devices in hopes of having the echo responses overwhelm the real victim’s host — the system specified as the source in the original ping requests.

Smurf attacks were once considered a major threat to computer networks due to their immense potential for destruction. However, this attack vector is rarely used and is generally considered an addressed vulnerability. This is because most packet filters will automatically drop ICMP messages sent to a broadcast address, which means they are directed to all devices on the destination network. Having such a rule specified will prevent the network from being used in a Smurf denial of service attack, effectively ending it.

Ping of Death

While ping flood and smurf attacks are considered volume-based denial-of-service attacks, ping of death is a vulnerability attack aimed at rendering the victim system inoperable by sending well-crafted ICMP messages to the destination. This ICMP attack is considered less prevalent than the other two DoS attacks we previously discussed. Nevertheless, it has the most potential for destruction.

ICMP messages are carried in IP datagrams, which can have a limited size. Sending a malformed or oversized message to a host can result in a memory overflow and, potentially, a full system crash. As dangerous as it sounds, most modern systems are equipped with sufficient means to detect such anomalies, preventing malformed ICMP messages from reaching their destination.

How to Detect and Mitigate an ICMP Attack?

Hackers do not choose what websites and servers to target, especially in large-scale DDoS attacks. If you’re wondering, “Why would a hacker attack my website?” it’s important to remember that regardless of the reason, knowing how to mitigate ICMP attacks is essential for maintaining the security of your online presence.

ICMP attack mitigation, especially in the case of a ping flood, does not differ from the mitigation of other denial-of-service attacks. The key is identifying malicious traffic and blocking the source of it, effectively denying the attackers access to the server.

However, you would rarely need to observe and analyze network traffic manually as most security solutions, from traditional stateless packet filters to advanced intrusion detection systems (IDS), are configured out of the box to rate limit ICMP traffic and effectively mitigate ICMP attacks. Due to the advancement of modern security solutions, ping floods and other types of ICMP attacks no longer pose a major threat to servers and websites.

How to Defend Against ICMP Attacks?

An effective defense strategy against ICMP attacks starts with implementing strict packet filtering rules, which include rate limiting or even fully disabling incoming and outgoing ICMP traffic. While blocking all ICMP messages from entering and leaving the server will make it impossible to trace the route to the server, and for ping requests to ever reach it, it will have little to no effect on server and website operations.

More often than not, software firewalls restrict outbound ICMP traffic by default, so there is a good chance that your hosting provider has already done it for you. All fully managed hosting solutions offered by LiquidWeb and Nexcess come with powerful firewall rules requiring few or no adjustments to defend against ICMP attacks.

Generally, if you would like to leave your server discoverable on the global network by the Ping and Traceroute utilities, you can choose to rate limit incoming and outgoing ping requests. Most software firewalls’ default configuration is limiting the number of incoming ICMP echo requests to one per second for each IP address, which is a good starting point.

A great way to defend your server against ping flood and other ICMP attacks is by using a Content Delivery Network (CDN). Modern CDNs implement strict firewall rules and perform deep packet inspection, significantly reducing the number of malicious requests reaching your server. In the case of ICMP attacks, even the default firewall rule sets deployed by the CDN will help effectively defend against ICMP attacks.

Protect Your WordPress Website With Solid Security Pro

Exploiting the implementation of Internet Control Message in the protocol stack, cybercriminals can transform a fundamental Internet component into a dangerous weapon used to wreak havoc on businesses and individuals alike. ICMP attacks, such as ping flood or smurf attacks, aim at causing a denial of service by overwhelming the target host or network device with a deluge of malicious ICMP messages. Leveraging botnets and spoofing the source address helps hackers make ICMP attacks even more effective and significantly increase their potential for destruction.

Fortunately, ICMP attacks are no longer a major threat to websites and servers as modern security solutions provide great defensive mechanisms that help successfully prevent and mitigate ping floods. ICMP attacks can be considered less dangerous than other denial of service (DoS) attacks targeting the protocol stack’s application layer.

Solid Security Pro and Solid Backups ensure you stay one step ahead of cybersecurity threats by protecting your WordPress site. With flexible backup schedules and one-click restores, you can rest assured that a clean working copy of your WordPress website is safely stored at a remote location, somewhere hackers can’t reach. Advanced brute force protection, multi-factor authentication, file integrity monitoring, and vulnerability scanning will significantly reduce the attack surface and help you easily mitigate any threats.