What is a Ping (ICMP) Flood DDoS Attack?

Introduction

In a previous blog, we talked about Ping of Death (PoD) DDoS attacks. This type of attack floods a target system with malformed or oversized ping packets, also referred to as ICMP data packets. The target system becomes sluggish and typically crashes or freezes as it struggles to process the oversized packets.   

PoD is an older DDoS attack. Since then, many systems have been updated and patched to prevent these types of attacks. However, Ping (ICMP) flood DDoS attacks that use normal-sized packets can still be used effectively and are often used in combination with other methods to create highly complex attacks.

In this blog, we’ll shed light on the potential risks and disruption Ping (ICMP) Flood DDoS attacks can cause to networks. We’ll explore how Ping Flood DDoS attacks work, while also offering guidance on how to protect against this common cyber threat.

How Ping (ICMP) Flood DDoS Attacks Work

Before we get into the mechanics of a Ping (ICMP) Flood DDoS attack, it’s important to understand what ICMP (Internet Control Message Protocol) is. ICMP operates at the network layer (or Layer 3) of the OSI Model and serves as error-reporting protocol. Network devices, such as routers, use ICMP to communicate error information or updates to other network devices. Network diagnostic tools like traceroute and ping both operate using ICMP, sending echo-request and echo-reply messages to communicate information about the status of the device and the connection between the sender and recipient. For example, when a message is too large for the recipient to process, the recipient drops the message and sends an ICMP message back to the source. Or when the network gateway finds a shorter path for the message, it sends an ICMP message to the source and the packet is redirected to the shorter path.

However, ICMP can also be used for nefarious purposes, including Ping Flood DDoS attacks. In this type of DDoS attack a threat actor targets a server by overwhelming it with a flood of ICPM packets or echo-requests. Each echo-request consumes server resources to process as well as bandwidth on both the incoming and outgoing side of the transmission. An excessive number of requests saturates the device’s capacity to reply and slows down network performance. Ultimately, devices crash and operations are completely disrupted so that legitimates users can’t use the service.

To achieve the massive volume of traffic required to bring a service down, attackers use bots, Internet-connected devices that they have hijacked and infected with malware that allows them to control the devices remotely. They group these bots into DDoS botnets to achieve the scale and impact required to bring down even the largest organizations.

Technical Example of a Ping Flood

Ping Flood attacks are as simple to execute as the name suggests. All it takes is a short ping command from the command line:

ping -t <target IP> -1 65500

This sends a continuous stream of ping packets with the maximum allowable packet size of 65,500 bytes (per IPv4) to the target IP address. The impact of the attack is directly proportional to the number of devices in the botnet executing the command: 10 devices have a 10x impact, 100 devices have a 100x impact, etc.

Ping Flood vs Smurf Attack

A smurf attack is a type of DDoS that is related to Ping Flood, but there are differences. In a smurf attack:

• The attacker fakes, or spoofs, the victim’s IP address. This hides the origin of the attack.
• The attacker sends a large number of ICMP echo requests from that spoofed address to a broadcast address that relays the message to every device on the network. This has the effect of amplifying the attack dramatically.
• Very little bandwidth is consumed, but the impact is significant.

Ping Flood vs SYN Flood

Ping flood and SYN flood attacks both overwhelm the target with traffic, but there are a few differences. In a SYN flood:

• TCP SYN packets are used, not ICMP echo requests.
• SYN floods come under the category of TCP state-exhaustion attacks because they strike by opening TCP connections that are never used.
• SYN floods consume more server processing resources due to the need to deal with half-open connections.
• SYN floods can be harder to detect because connection requests often appear to be legitimate.

Effects of a Ping Flood

While emanating from a seemingly harmless request, Ping (ICMP) flood DDoS attacks can have severe technical and business consequences for organizations.

Technical Impact

Network saturation: Excessive IMCP traffic consumes network bandwidth and can create network congestion which makes it impossible for legitimate users to access public-facing systems.

System resource exhaustion: As servers attempt to respond to bogus requests, router, firewall, and server CPU cycles become drained. CPU overload and consumption of available memory causes widespread performance issues and, eventually, systems crash.

Business Impact

Service Disruption: Network saturation impacts availability of devices and network segments. Websites time-out, cloud-based services are blocked, and applications that rely on the network stop working.

Email Disruption: An ICMP flood can cause inbound emails to bounce and be returned as undeliverable. The server’s IP address could be added to blackhole lists which results in other email servers rejecting messages from the IP address causing further disruptions and need for additional recovery efforts after the attack.

Financial Loss: Any compromise to business operations can have financial implications including costs of mitigation and recovery efforts as well as losses in revenue, brand reputation, and customer trust.

Mitigating and Preventing Ping (ICMP) Flood DDoS Attacks

To defend against ping (ICMP) flood DDoS attacks, organizations should use a layered approach:

• Traffic rate limiting. Set a maximum threshold on the number of ICMP echo requests that can be processed per second. Requests exceeding the threshold are dropped or deprioritized. This prevents any single source from overwhelming the target device.
• Infrastructure capacity planning. Proactively increase bandwidth, server resources, and network capabilities to help absorb a higher volume of ICMP traffic. However, for very high-volume attacks this may still not be enough to absorb the impact.
• Blackhole filtering. Routers and firewalls can identify known DDoS botnets through IP blackhole lists and immediately block traffic originating from known malicious IP addresses. However, this is not effective against changing botnet IP addresses.
• Proactive traffic monitoring: Know your baseline traffic patterns and continuously monitor for anomalous behavior like sudden spikes in ICMP traffic, which may indicate an ICMP flood attack.
• Firewall rules: Set your firewall to detect and block incoming ICMP packets to prevent pings from reaching vulnerable systems. However, this approach will not prevent internal attacks and will limit legitimate diagnostic uses of ICMP messages. ICMP blocking should be applied selectively rather than network-wide.
• DDoS protection: The most comprehensive way to mitigate DDoS attacks, including Ping (ICMP) Flood DDoS attacks, is with a DDoS protection platform. The most advanced solutions will allow you to maintain uninterrupted service availability even in the midst of a DDoS attack and protect you against follow-on threats including data leakage, ransom attacks, and other threats to your operations.

Best Practices to Reinforce Protection Against Ping Floods

To further strengthen protection against ping (ICMP) floods, add the following best practices:

• Maintain patching. Make sure operating systems and network devices are up to date with patches that protect against high volumes of ICMP requests.
• Implement infrastructure failsafe measures. Gear redundancy and extra capacity headroom will strengthen the ability to tolerate moderate flood volumes.
• Fine-tune traffic handling. Implement intelligent rate limiting, protocol blocking, and filtering to minimize attack impact.
• Test defenses. Validate DDoS defense readiness through annual stress testing.
• Update gear. Maintain a schedule of targeted infrastructure upgrades to handle projected traffic growth.
• Train IT teams. Ensure IT teams are up to speed on DDoS monitoring, mitigation techniques, and emergency procedures with regular training and refresher sessions.

Conclusion

ICMP is a valuable tool to diagnose and communicate error information or updates to other network devices. However, when it is used for nefarious purposes as part of a Ping (ICMP) flood DDoS attack, it can create havoc for organizations.

Organizations that are victims of a Ping (ICMP) flood DDoS attack can suffer serious technical and business consequences including network saturation, system resource exhaustion, service and email disruption, and financial loss.

Fortunately, there a multiple best practices and technologies you can use to defend against Ping (ICMP) flood DDoS attacks, including patching, implementing gear redundancy, IT team training, traffic rate limiting, infrastructure capacity planning, blackhole filtering, proactive traffic monitoring, firewall rules and using an advanced DDoS protection solution.

DDoS protection coupled with intelligence to stay ahead of emerging threats, provides uninterrupted service availability even in the midst of a Ping (ICMP) Flood DDoS attack and can also protect you from other types of DDoS attacks and the follow-on malicious activity that can threaten your operations. Visit our threat intelligence research center for more information on DDoS defense in depth.