It is no surprise that hackers strive to find a weakness in everything, from simple software to the most fundamental protocols that underpin the structure of the Internet as we know it. As one of the essential components of the Internet protocol stack, Internet Control Message Protocol acts as a global message carrier, conveying vital information about the state of the network devices and whole networks that form the worldwide web.
Although an invaluable communication tool, ICMP becomes a potential avenue for attackers to harness the weaknesses inherent in its design. Exploiting the trust network devices place in ICMP messages, malicious actors attempt to circumvent security systems deployed by the victim’s host, causing disruptions to network operations, which can ultimately result in denial of service.
As a distinct group of denial of service attacks, ICMP attacks are no longer a primary tool in the attacker’s toolbox. However, they continue wreaking havoc on online businesses. Ping flood attacks, smurf attacks, and the so-called ping of death – all of those are different variations of ICMP attacks that can still pose a threat to network operations worldwide.
In this guide to ICMP attacks, you will learn what ICMP is and how hackers use it to cause denial of service to servers and whole networks. We will delve into the mechanisms underlying ICMP attacks to equip you with the necessary knowledge and tools to protect your business from the harm they pose.
What is ICMP?
Internet Control Message Protocol, or ICMP, is a network protocol used by network devices to communicate operational information to one another. While ICMP is often considered part of the IP protocol as its messages are carried as IP payload, Internet Control Message Protocol lies just above and is specified as an upper-layer protocol in IP datagrams. However, its activity is still confined to the third layer of the Internet protocol suite, known as Network Layer.
Each ICMP message has a type and a code field that specify the type of information it conveys and its purpose, as well as a part of the original request that caused the message to be generated. For example, if the destination host ended up being unreachable, the router that failed to pass the original request to it will generate an ICMP type three code one message letting you know that it could not find a path to the server you specified.
What is ICMP Used For?
Most of the time, ICMP is used to handle error reporting in situations where the destination network or end system failed to be reached. Error messages such as “Destination network unreachable” both have their origins in ICMP and will be shown to you if your request never completed its intended journey. As the ICMP message includes a portion of the original request, the system will easily map it to the right destination.
Although error reporting is one of the primary applications of Internet Control Message Protocol, ICMP underpins the functionality of two fundamental network diagnostic tools – ping and traceroute. Both utilities are widely used for testing network connectivity and tracing the pathway to remove networks and end systems. And while ping and traceroute are often used interchangeably, their operational methods differ significantly.
Ping and Traceroute
Ping sends a series of ICMP messages of the echo request type, expecting echo replies from the destination host. If each request receives a response, Ping will report no packet loss between the source and destination systems. Similarly, if some of the messages never reach their destination due to network congestion, the utility will report those packets as lost.
Traceroute has a more complex mechanism and was created for a different purpose. Instead of sending echo requests to the intended host, it sends out a burst of IP packets that should expire once they reach the intended destination. This way, the receiving router or host will be forced to generate the Time to Live (TTL) expired ICMP message that will be sent back to the source. Having received ICMP response messages for each original packet, Traceroute will have the names of the packet switches that form the route to the destination host, along with the time it took the original packets to reach each of them.
What Makes ICMP Easy to Exploit?
As ICMP is limited to the network layer of the Open Systems Interconnection (OSI) model, its requests do not require a connection to be established before being transmitted, which is the case with the three-way handshake introduced by TCP and amplified by TLS with the use of SSL/TLS certificates. This makes it possible to send ping requests to any system, which in turn makes it easy to exploit.
As you can see, although ICMP has proven itself as an invaluable component of the global network, it has also attracted the attention of cybercriminals who wanted to use it for malicious purposes. Malicious actors exploit weaknesses present in the implementation of ICMP to cause disruption to networks and individual hosts. Performing ICMP attacks, hackers transform ICMP from a vital network diagnostic tool to a root cause of network outages.
ICMP Attacks as a Less Dangerous Type of Denial of Service (DoS)
ICMP attacks exploit the capabilities of Internet Control Message Protocol to overwhelm targeted networks and devices with requests, causing the so-called bandwidth flooding, a form of denial of service (DoS) that aims to exhaust the victim’s ability to handle incoming traffic. An ICMP attack can be defined as a denial of service attack that uses ICMP messages as its primary tool to disrupt network operations.
ICMP attacks are often considered less dangerous and easier to defend from than most other types of denial of service attacks. And while ICMP attacks can still cause significant damage, they are typically simpler to detect and mitigate for a few reasons:
- ICMP attacks focus on Network Layer. ICMP operates at a lower level of the Internet protocol stack, and ICMP messages carry a smaller payload compared to data-heavy payloads used in other denial of service attacks. This makes it easier to identify malicious ICMP traffic.
- ICMP attacks display distinctive patterns. Malicious ICMP messages often exhibit distinctive patterns, such as a deluge of echo requests from the same sender or specific error messages.
- ICMP traffic is easier to limit. Network administrators can limit or even fully disable incoming and outgoing ICMP traffic, which will not cause any noticeable disruption to normal operations.
3 Main Types Of ICMP Attacks
The three main types of ICMP attacks include ping flood, Smurf attacks, and ping of death attacks. Each of them uses distinct mechanisms, but the main difference is the types of ICMP messages cybercriminals use.
As we discussed, with the exception of the Ping utility that generates echo requests and directs them toward the destination, ICMP messages are usually generated by the destination system to alert the source of a certain issue. This way, instead of directing an outburst of ICMP packets toward a victim’s system, attackers can utilize more sophisticated techniques, such as making the victim of the attack the attacker in another victim’s eyes.
Let’s take a closer look at each of the three most prevalent types of ICMP attacks and see how they caused massive disruption to the Internet before prominent defensive mechanisms were widely introduced.
Ping flood is the simplest and most prevalent variation of an ICMP attack, in which malicious actors direct an excessive amount of echo requests to the victim system or network. Simulating normal activity of the Ping utility, cybercriminals target the bandwidth of the destination host.
With a deluge of ICMP requests sent in the same direction, the target’s access link becomes clogged, successfully preventing legitimate traffic from getting through to the destination. And as an ICMP echo reply message is expected per each echo request, a ping flood attack can lead to a significant increase in CPU usage, which can slow down the end system, causing full denial of service.
Just as with any other type of DoS, malicious actors can employ multiple hosts to carry out a ping flood attack, turning it into a distributed denial of service (DDoS) attack. Not only does using multiple attack sources amplify the effects of the attack, but it also helps the attacker avoid discovery and hide its identity.
Distributed denial of service attacks typically harness botnets – networks of compromised endpoints and network devices controlled by the attacker. Botnets are created and expanded by infecting the victim’s device with a special type of malware that will enable the owner of the botnet to control the compromised system remotely. Once instructed, the infected device will start overwhelming the target of the ping flood attack with ICMP echo request messages without the knowledge or consent of the rightful owner.
One of the most famous large-scale ping flood attacks took place back in 2002. Cybercriminals leveraged a botnet to direct truckloads of ICMP echo request messages to each of the thirteen DNS root name servers. Fortunately, as the packet switches behind the name servers were already configured to discard all incoming ping messages, the attack had little to no impact on the global internet experience.
Smurf attacks turn the victim into the perceived attacker by making it look like ICMP echo requests came from a different source. Spoofing the sender address, attackers direct a large number of ICMP messages to a network or networks of devices in hopes of having the echo responses overwhelm the real victim’s host – the system specified as the source in the original ping requests.
Smurf attacks were once considered a major threat to computer networks due to their immense potential for destruction. However, as of now, this attack vector is rarely used and is generally considered an addressed vulnerability. This is due to the fact that the absolute majority of packet filters will automatically drop ICMP messages going to a broadcast address, which means they are directed to all devices on the destination network. Having such a rule specified will prevent the network from being used in a Smurf denial of service attack, which will effectively end it.
Ping of Death
While ping flood and smurf attacks are considered a volume-based denial of service attacks, ping of death is a vulnerability attack aimed at rendering the victim system inoperable by sending well-crafted ICMP messages to the destination. This ICMP attack is considered less prevalent than the other two DoS attacks we previously discussed. Nevertheless, it has the most potential for destruction.
ICMP messages are carried in IP datagrams, which can have a limited size. Sending a malformed or oversized message to a host can result in a memory overflow and, potentially, a full system crash. As dangerous as it sounds, most modern systems are equipped with sufficient means to detect such anomalies, preventing malformed ICMP messages from reaching their destination.
How to Detect and Mitigate an ICMP Attack?
Hackers do not choose what websites and servers to target, especially in large-scale DDoS attacks. If you’re wondering, “Why would a hacker attack my website?“, it’s important to remember that regardless of the reason, having the knowledge to mitigate ICMP attacks is essential for maintaining the security of your online presence.
ICMP attack mitigation, especially in the case of a ping flood, does not differ from the mitigation of other types of denial of service attacks. The key is identifying malicious traffic and blocking the source of it, effectively denying the attackers access to the server.
However, you would rarely need to observe and analyze network traffic manually as most security solutions, from traditional stateless packet filters to advanced intrusion detection systems (IDS) are configured out of the box to rate limit ICMP traffic and effectively mitigate ICMP attacks. Due to the advancement of modern security solutions, ping floods and other types of ICMP attacks no longer pose a major threat to servers and websites.
How to Defend Against ICMP Attacks?
An effective defense strategy against ICMP attacks starts with implementing strong packet filtering rules, which includes rate limiting or even fully disabling incoming and outgoing ICMP traffic. While blocking all ICMP messages from entering and leaving the server will make it impossible to trace the route to the server and for ping requests to ever reach it, it will have little to no effect on server and website operations.
More often than not, outbound ICMP traffic is restricted by software firewalls by default, so there is a good chance that your hosting provider has already done it for you. All fully-managed hosting solutions offered by LiquidWeb and Nexcess come with powerful firewall rules that will require little to no adjustments to defend against ICMP attacks.
Generally, if you would like to leave your server discoverable on the global network by the Ping and Traceroute utilities, you can choose to rate limit incoming and outgoing ping requests. The default configuration most software firewalls have is limiting the number of incoming ICMP echo requests to one per second for each IP address, which is a good starting point.
A great way to defend your server against ping flood and other ICMP attacks is by using a Content Delivery Network (CDN). Modern CNDs implement strong firewall rules and perform deep packet inspection, significantly reducing the number of malicious requests reaching your server. In the case of ICMP attacks, even the default firewall rule sets deployed by the CDN will help effectively defend against ICMP attacks.
Protect Your WordPress Website With iThemes Security Pro
Exploiting the implementation of Internet Control Message in the protocol stack, cybercriminals can transform a fundamental component of the Internet into a dangerous weapon used to wreak havoc on businesses and individuals alike. ICMP attacks such as ping flood or smurf attacks aim at causing a denial of service by overwhelming the target host or network device with a deluge or malicious ICMP messages. Leveraging botnets and spoofing the source address help hackers make ICMP attacks even more effective and significantly increase their potential for destruction.
Fortunately, ICMP attacks are no longer a major threat to websites and servers as modern security solutions provide great defensive mechanisms that help successfully prevent and mitigate ping floods. ICMP attacks can be considered less dangerous than other denial of service (DoS) attacks that target the application layer of the protocol stack.
iThemes Security Pro and BackupBuddy ensure you stay one step ahead of cybersecurity threats by keeping your WordPress protected at all times. With flexible backup schedules and one-click restores, you can rest assured that a clean working copy of your WordPress website is safely stored at a remote location, somewhere hackers can’t reach. Advanced brute force protection, multi-factor authentication, file integrity monitoring, and vulnerability scanning will significantly reduce the attack surface and help you mitigate any threats with ease.
Kiki has a bachelor’s degree in information systems management and more than two years of experience in Linux and WordPress. She currently works as a security specialist for Liquid Web and Nexcess. Before that, Kiki was part of the Liquid Web Managed Hosting support team where she helped hundreds of WordPress website owners and learned what technical issues they often encounter. Her passion for writing allows her to share her knowledge and experience to help people. Apart from tech, Kiki enjoys learning about space and listening to true crime podcasts.