An ICMP Flood involves an attacker sending fraudulent ICMP packets at volumes significant enough to flood a network. The unexpected volume of the incoming spoofed ICMP packets from a large set of source IP overwhelms the victim’s network, consuming resources and saturating the available bandwidth until the network is forced offline. ICMP floods can employ packets that have random or fixed source IP addresses.
Internet Control Message Protocol (ICMP) is one of the primary protocols of the Internet protocol suite used for IP operations, diagnostics and errors. ICMPs are used by network devices, such as routers, to send error messages which state, for example, that a host cannot be reached or a requested service is unavailable.
ICMPs are similar to UDPs in that the ICMP stack is also connectionless, meaning it does not utilize an end to end process for data exchange. This makes it more difficult to detect.
This kind of attack is viewed as a Network-Level volumetric attack. There are various kinds of ICMP Floods, including PING floods and those which make use of custom tools or code, such as HPING and SCAPY. ICMP Floods strain the network’s incoming and outgoing channels (as the attacker intends the victim to respond with ICMP “echo reply” packets), consuming significant bandwidth and either slowing down or taking down a victim’s computer.
The most effective kinds of ICMP Floods are PING floods, which send iCMP packets as fast as possible without waiting for replies. The user usually needs to be privileged in order to specify the flood option; and they are most successful when the attacker has significantly greater capacity than the target.
ICMP Floods can be prevented by L3/L4 Packet filtering. A router firewall rule can be created, for example, to block all inbound traffic for the IP addresses that are the source of the DDoS attack.
ICMP Floods can also be prevented by limiting the size of ICMP requests, particularly PINGs, as well as the rate at which they can be accepted. With most cybersecurity DDoS protection against ICMP Floods, parties can set a threshold that, once exceeded, invokes an ICMP flood attack protection measure. The default threshold is frequently 1000 packets per second. Once the threshold is reached, the router rejects further ICMP echo requests (of any type of ICMP) from all addresses in the same security zone for the rest of the current second.
Most routers are configured to block external ICMP echo requests to prevent ICMP floods from taking place.