An ICMP (Internet Control Message Protocol) flood (or ping flood) is a type of Distributed Denial of Service (DDoS) attack where an attacker overwhelms a target with a massive number of ICMP echo requests (“pings”), consuming the target’s bandwidth and resources.
What is an ICMP flood attack?
An ICMP flooding attack, also known as a ping flood or ping ICMP flood attack, is a type of Denial of Service (DDoS) attack where the attacker overwhelms a target system with many ICMP echo request (ping) packets. The target is forced to respond to each request, consuming bandwidth, CPU, and memory resources, which can lead to performance degradation or a complete service disruption. The attacker’s goal is to exhaust the target’s resources, making legitimate traffic unable to reach the target.
How does an ICMP (ping flood) attack work?
ICMP is a category of network packets used for network diagnostics such as liveness tests, testing connectivity, or tracing the route packets take across networks. The ICMP “echo request” packet, known as a “ping” after the sound that a sonar makes, is a way for a computer on a network to request an ICMP “echo reply” packet as a response. It functions as a very simple, easy-to-use liveness test for both humans and other applications. Because it is used extensively, most networks allow ICMP ping through their firewalls or access control lists (ACLs).
Most implementations of the command-line utility “ping” send one ICMP “echo request” per second. Some versions, such as Microsoft Windows, also limit the total number of “echo request” packets to 3 by default.
However, some variants of ping have a “flood” command-line flag that sends an ICMP flood. During an ICMP flooding attack, the attacker sends a continuous stream of ICMP echo requests without waiting for replies. The target system becomes overloaded as it tries to handle the flood of requests, consuming resources and causing a denial of service.
In a Distributed Denial of Service (DDoS) attack, multiple devices connected as a botnet can send more ping packets to the target and overwhelm its network circuits.
The size of an ICMP flood packet can vary depending on the attack, but it is usually small – around 64 bytes. However, some attacks use crafted packets up to 65,535 bytes in size, the maximum allowed inside IPV4 packets. These large ICMP packets consume more bandwidth to make an ICMP flood DDoS attack more effective.
The ICMP threat: The impact of ICMP flooding.
ICMP flood DDoS attacks cause a large variety of impacts on their targets, including the following:
- Network outages: Because the circuits to the targeted network become oversaturated with traffic, the network incurs an outage.
- Router failures: ICMP floods exceed the capabilities of routers, and they stop routing packets.
- Service disruption: The target system becomes unavailable or unresponsive to legitimate users due to the flood of ICMP traffic.
- Reduced performance: Even if the target is still online, the system may experience significant slowdowns and performance degradation.
- Financial losses: Businesses can face downtime, reputational damage, and lost productivity during an ICMP attack.
How to mitigate an ICMP flood attack.
Like many DDoS attacks, there are some resilience steps that can be taken to reduce the impact of an ICMP flood attack. However, this doesn’t prevent the attack and only mitigates its effectiveness.
Firewalls and routers.
You can configure firewalls and routers to limit or block ICMP traffic to reduce vulnerability to an ICMP flooding attack. This method can also help manage the ICMP flood threshold by controlling the number of ICMP requests. However, routers and firewalls are still behind network circuits, which can become saturated and fail.
DDoS mitigation services.
Network scrubber and DDoS mitigation solutions like Vercara UltraDDoS Protect filter and block a wide variety of malicious DDoS traffic, including ICMP ping floods, before it reaches the target network and services. These services have more bandwidth available to mitigate the largest attacks.
Intrusion detection and prevention systems (IDPS).
These systems detect unusual patterns and attacks in network traffic, including ICMP packets and other non-DDoS attacks, and block the ping flood attack before it causes significant damage.
DNS defense and hardening.
Protective DNS services, such as UltraDDR, offer an additional layer of defense by monitoring DNS queries and blocking potentially harmful traffic. Implementing DNSSEC can also prevent attackers from exploiting DNS vulnerabilities.
Rate limiting.
This limits the number of ICMP requests the system will process, preventing it from being overwhelmed by an ICMP flood.
Bandwidth over-provisioning.
Over-provisioning network bandwidth can help absorb the traffic spike caused by a ping flood attack, ensuring legitimate traffic can still pass through.
How Vercara can help.
Vercara’s UltraDDoS Protect is a purpose-built dedicated network scrubbing infrastructure designed and built to block ICMP ping floods and other types of DDoS attacks, such as DNS amplification, HTTP GET application-layer attacks, and TCP SYN floods. Traffic is diverted to UltraDDoS Protect via BGP announcement or DNS resource record. UltraDDoS Protect is operated by the Vercara Security Operations Center (SOC) who perform network onboarding, network adjustments during attacks, and assessment of filter effectiveness to block DDoS attacks.
Vercara services such as our authoritative DNS platform, UltraDNS, and our Web Application Firewall, UltraWAF, are built to be resistant to DDoS attacks through overprovisioning, anycast routing, and multiple distributed points of presence. They also use UltraDDoS Protect to filter large attacks directed at them.
While ICMP is a standard protocol for network diagnostics, it is vulnerable to being exploited through ICMP ping flood attacks. By implementing firewalls, DDoS mitigation solutions, and rate limiting, you can prevent and mitigate the impact of these attacks, ensuring your systems remain secure and operational.
