ICMP amplification attacks

Attack pattern

ICMP amplification attacks represent a sophisticated form of denial-of-service that exploits the inherent properties of the Internet Control Message Protocol to generate massive traffic volumes from relatively small requests. These attacks leverage protocol features, cloud infrastructure misconfigurations, and protocol interactions to create devastating amplification effects that can overwhelm target networks and systems.

1. ICMP amplification [AND]

    1.1 Amplification vector exploitation [OR]
    
        1.1.1 "Packet too big" message amplification
            1.1.1.1 Oversized packet triggering for error generation
            1.1.1.2 Path mtu discovery exploitation for amplification
            1.1.1.3 IPv6 fragmentation requirement exploitation
            1.1.1.4 Router response amplification through mtu mismatch
            
        1.1.2 ICMPv6 error message reflection
            1.1.2.1 Parameter problem message amplification
            1.1.2.2 Destination unreachable message exploitation
            1.1.2.3 Time exceeded message reflection attacks
            1.1.2.4 Checksum error amplification techniques
            
        1.1.3 MTU discovery amplification
            1.1.3.1 Path mtu discovery process exploitation
            1.1.3.2 Black hole router amplification attacks
            1.1.3.3 MTU mismatch induction for error generation
            1.1.3.4 TCP mss manipulation through ICMP attacks
            
    1.2 Cloud infrastructure abuse [OR]
    
        1.2.1 Misconfigured cloud router exploitation
            1.2.1.1 Public-facing cloud router targeting
            1.2.1.2 Virtual router misconfiguration abuse
            1.2.1.3 Cloud load balancer ICMP reflection
            1.2.1.4 Auto-scaling group router exploitation
            
        1.2.2 Container network amplification
            1.2.2.1 Kubernetes pod network exploitation
            1.2.2.2 Docker bridge network amplification
            1.2.2.3 Container network interface targeting
            1.2.2.4 Service mesh sidecar reflection attacks
            
        1.2.3 Serverless function reflection
            1.2.3.1 Lambda function ICMP response manipulation
            1.2.3.2 Cloud function error message amplification
            1.2.3.3 Serverless timeout error exploitation
            1.2.3.4 Function-as-a-service platform abuse
            
    1.3 High-gain amplification [OR]
    
        1.3.1 IPv6 jumbogram amplification
            1.3.1.1 Jumbo payload option exploitation
            1.3.1.2 Large packet amplification through error messages
            1.3.1.3 Router jumbogram support testing for amplification
            1.3.1.4 Path mtu discovery with jumbogram exploitation
            
        1.3.2 Nested ICMP message exploitation
            1.3.2.1 ICMP-in-ICMP encapsulation attacks
            1.3.2.2 Error message chaining for amplification
            1.3.2.3 Multi-layer protocol exploitation
            1.3.2.4 Recursive error generation techniques
            
        1.3.3 Multi-protocol chain amplification
            1.3.3.1 ICMP-TCP interaction exploitation
            1.3.3.2 UDP-ICMP protocol chain attacks
            1.3.3.3 DNS-ICMP amplification techniques
            1.3.3.4 HTTP-ICMP error chain exploitation
            
    1.4 Reflection technique enhancement [OR]
    
        1.4.1 Source spoofing optimisation
            1.4.1.1 Efficient source address spoofing techniques
            1.4.1.2 Spoofed address rotation patterns
            1.4.1.3 Geographic spoofing for attribution evasion
            1.4.1.4 Botnet-based spoofing coordination
            
        1.4.2 Amplification factor maximisation
            1.4.2.1 Protocol feature analysis for maximum gain
            1.4.2.2 Network path optimisation for amplification
            1.4.2.3 Response size manipulation techniques
            1.4.2.4 Timing synchronisation for peak amplification
            
    1.5 Infrastructure recruitment [OR]
    
        1.5.1 Open resolver exploitation
            1.5.1.1 ICMP-enabled open resolver identification
            1.5.1.2 Public infrastructure recruitment for amplification
            1.5.1.3 Cloud service abuse for reflection capacity
            1.5.1.4 Content delivery network exploitation
            
        1.5.2 Compromised device recruitment
            1.5.2.1 IoT device exploitation for distributed amplification
            1.5.2.2 Network device compromise for reflection points
            1.5.2.3 Server compromise for high-bandwidth amplification
            1.5.2.4 Mobile device network participation
            
    1.6 Evasion and persistence [OR]
    
        1.6.1 Detection avoidance techniques
            1.6.1.1 Rate limiting evasion through distribution
            1.6.1.2 Pattern randomisation for signature avoidance
            1.6.1.3 Protocol compliance maintenance for legitimacy
            1.6.1.4 Traffic blending with legitimate ICMP flows
            
        1.6.2 Attack persistence mechanisms
            1.6.2.1 Continuous amplification source rotation
            1.6.2.2 Adaptive attack intensity adjustment
            1.6.2.3 Multi-vector attack sustainment
            1.6.2.4 Infrastructure redundancy for attack persistence

Why it works

  • Protocol design limitations: ICMP requires error messages that can be significantly larger than triggering packets

  • Amplification factors: Certain ICMP messages can achieve high amplification ratios (50:1 or greater)

  • Source spoofing viability: IP source address spoofing remains possible in many networks

  • Infrastructure availability: Numerous misconfigured systems respond to ICMP requests from any source

  • Protocol necessity: ICMP cannot be completely blocked without affecting network functionality

  • Monitoring gaps: Many networks lack comprehensive ICMP traffic analysis capabilities