ICMP Echo sweeping (Ping sweep)

Attack pattern

ICMP echo sweeping, commonly known as ping sweeping, represents a fundamental network reconnaissance technique that utilises Internet Control Message Protocol echo requests to identify active hosts within target networks. This methodology encompasses both traditional high-speed approaches and sophisticated stealth techniques to map network environments while evading detection mechanisms.

1. ICMP echo sweeping (ping sweep) [OR]

    1.1 High-speed parallel scanning [OR]
    
        1.1.1 Fping mass parallel ICMP probes
            1.1.1.1 Rapid consecutive echo request transmission
            1.1.1.2 Multiple target simultaneous probing
            1.1.1.3 Adaptive timeout handling for efficient scanning
            1.1.1.4 Output formatting for automated processing
            
        1.1.2 Masscan with ICMP-only mode
            1.1.2.1 Internet-scale ICMP probing capabilities
            1.1.2.2 Custom packet rate configuration for optimal performance
            1.1.2.3 Source IP address spoofing support
            1.1.2.4 Results export for further analysis
            
        1.1.3 Zmap IPv6 ping6 sweeping
            1.1.3.1 IPv6 address space probabilistic scanning
            1.1.3.2 ICMPv6 echo request optimisation
            1.1.3.3 Dual-stack network enumeration
            1.1.3.4 Large-scale network mapping capabilities
            
    1.2 Stealth scanning techniques [OR]
    
        1.2.1 Low-rate ICMP probes to evade detection
            1.2.1.1 Sub-threshold request rates to avoid triggering alerts
            1.2.1.2 Extended time frame distributed scanning
            1.2.1.3 Traffic blending with legitimate network patterns
            1.2.1.4 Rate limit boundary testing and adaptation
            
        1.2.2 Randomised probe timing (jitter)
            1.2.2.1 Exponential backoff algorithm implementation
            1.2.2.2 Gaussian distribution timing variation
            1.2.2.3 Network latency-adaptive timing adjustments
            1.2.2.4 Pattern avoidance through temporal randomness
            
        1.2.3 Source IP rotation through compromised hosts
            1.2.3.1 Botnet infrastructure utilisation for distributed scanning
            1.2.3.2 Cloud instance abuse for source diversity
            1.2.3.3 Proxy chain implementation for anonymity
            1.2.3.4 Fast-flux DNS techniques for infrastructure obfuscation
            
    1.3 Protocol variation scanning [OR]
    
        1.3.1 ICMPv6 node information queries
            1.3.1.1 IPv6 address harvesting through NI queries
            1.3.1.2 Host fingerprinting via supported query types
            1.3.1.3 Service discovery through unexpected NI responses
            1.3.1.4 Evasion through legitimate ICMPv6 traffic mimicry
            
        1.3.2 Multicast listener discovery spoofing
            1.3.2.1 Fake MLD reports for traffic interception
            1.3.2.2 Group membership query abuse for host discovery
            1.3.2.3 MLDv2 capability probing for system fingerprinting
            1.3.2.4 Multicast address scanning for host identification
            
        1.3.3 Neighbour solicitation abuse
            1.3.3.1 NS spoofing for address resolution poisoning
            1.3.3.2 Duplicate address detection exploitation
            1.3.3.3 Unicast NS probing for host verification
            1.3.3.4 NS flooding for cache exhaustion attacks
            
    1.4 Evasion and anti-detection [OR]
    
        1.4.1 Packet crafting for stealth
            1.4.1.1 TTL value manipulation to appear as local traffic
            1.4.1.2 Checksum validation bypass techniques
            1.4.1.3 Protocol compliance maintenance for legitimacy
            1.4.1.4 Packet size variation to avoid pattern recognition
            
        1.4.2 Network behaviour mimicry
            1.4.2.1 Legitimate network tool traffic imitation
            1.4.2.2 System utility ICMP pattern replication
            1.4.2.3 Cloud service ICMP traffic imitation
            1.4.2.4 Network infrastructure communication mimicry
            
    1.5 Response analysis techniques [OR]
    
        1.5.1 Echo reply interpretation
            1.5.1.1 Operating system fingerprinting through response characteristics
            1.5.1.2 Network device identification via response patterns
            1.5.1.3 Response time analysis for system load estimation
            1.5.1.4 Packet loss calculation for network condition assessment
            
        1.5.2 Error message exploitation
            1.5.2.1 Destination unreachable message analysis
            1.5.2.2 Time exceeded message examination for path analysis
            1.5.2.3 Source quench message interpretation
            1.5.2.4 Parameter problem message inspection
            
    1.6 Adaptive scanning methodologies [OR]
    
        1.6.1 Environment-aware scanning
            1.6.1.1 Automatic protocol selection based on network configuration
            1.6.1.2 Firewall rule detection and adaptation
            1.6.1.3 IDS/IPS evasion through protocol analysis
            1.6.1.4 Network policy reconnaissance and adaptation
            
        1.6.2 Dynamic target selection
            1.6.2.1 Real-time results analysis for scan adjustment
            1.6.2.2 Machine learning for target prioritisation
            1.6.2.3 Adaptive scanning based on response patterns
            1.6.2.4 Resource-constrained environment adaptation

Why it works

  • Protocol necessity: ICMP is essential for network operations and cannot be completely blocked

  • Speed advantage: Modern tools can scan entire network ranges rapidly

  • Evasion capabilities: Stealth techniques bypass traditional detection mechanisms

  • Protocol flexibility: ICMP supports various message types for different scanning approaches

  • Network pervasiveness: ICMP traffic is common and blends with legitimate network operations

  • Resource efficiency: ICMP scanning requires minimal bandwidth compared to TCP/UDP methods