Internet Control Message Protocol (ICMP)¶
The Internet Control Message Protocol (ICMP), often perceived as a simple network utility for diagnostics and error reporting, presents a surprisingly vast and complex attack surface. Its ubiquitous presence and generally permissive nature through network defences make it an ideal vehicle for a spectrum of offensive operations.
A hierarchical blueprint for weaponising the ICMP protocol to conduct stealthy reconnaissance, establish covert channels, execute disruptive attacks, and evade security controls across modern networks.
- Overview attacks on ICMP
- ICMP Echo sweeping (Ping sweep)
- TTL manipulation for OS fingerprinting
- ICMP-based service discovery
- ICMP tunnelling for data exfiltration & covert channels
- Fragmented ICMP exfiltration techniques
- DNS-over-ICMP (C2) covert channels
- ICMP flood attacks
- ICMP amplification attacks
- Ping of Death (Modern variants)
- NAT/Firewall bypass techniques
- Lateral movement via ICMP
- ICMPv6 router advertisement spoofing
- ICMP side-channel attacks
- IoT/OT device crashes via ICMP
- Cloud metadata service abuse via ICMP
- Adaptive evasion techniques
- Autonomous attack systems
- Forensic evasion techniques
- Security control bypass techniques
Disclaimer¶
An attack tree is structural, not operational. It exists in the comfortable world of pure logic, where things either work or they don’t, gates either open or stay closed, and time is merely a dimension I/you/we draw an arrow along.
It’s comprehensive. It has branches for sub-prefix hijacking, exact-prefix hijacking, squatting attacks, path manipulation, and several dozen other variations. Each node connects logically to its children. The structure is clean.
Until someone takes a tree seriously enough to ask but what would this actually *look* like?