ICMP flood attacks

Attack pattern

ICMP flood attacks represent a category of denial-of-service techniques that leverage the Internet Control Message Protocol to overwhelm target systems, networks, or infrastructure components. These attacks exploit the fundamental nature of ICMP as a required protocol for network operations, making complete mitigation challenging while allowing attackers to cause significant service disruption through various amplification and reflection techniques.

1. ICMP floods [OR]

    1.1 Direct flood attacks [OR]
    
        1.1.1 IPv6 ping6 high-volume floods
            1.1.1.1 High-rate echo request bombardment
            1.1.1.2 Large payload ping6 packets for bandwidth consumption
            1.1.1.3 Dual-stack targeting through IPv6-specific floods
            1.1.1.4 Path MTU discovery exhaustion through oversized packets
            
        1.1.2 ICMPv6 parameter problem floods
            1.1.2.1 Malformed packet generation to trigger error responses
            1.1.2.2 Header corruption attacks forcing parameter problem messages
            1.1.2.3 Extension header manipulation for error induction
            1.1.2.4 Checksum violation attacks to generate error storms
            
        1.1.3 Multicast listener report floods
            1.1.3.1 MLD report message bombardment
            1.1.3.2 Multicast group join storms for router exhaustion
            1.1.3.3 MLD query amplification attacks
            1.1.3.4 Multicast state table exhaustion through rapid group changes
            
    1.2 Spoofed-source attacks [OR]
    
        1.2.1 ICMPv6 spoofed-source floods
            1.2.1.1 Source address spoofing for attribution evasion
            1.2.1.2 Amplification through error message generation
            1.2.1.3 Reflection attack setup through spoofed requests
            1.2.1.4 Botnet coordination with spoofed source addresses
            
        1.2.2 Reflection through compromised infrastructure
            1.2.2.1 Cloud instance abuse for reflection attacks
            1.2.2.2 Compromised network device exploitation
            1.2.2.3 IoT device recruitment for distributed reflection
            1.2.2.4 Public service abuse for amplified attacks
            
        1.2.3 Botnet-based distributed flooding
            1.2.3.1 IoT botnet mobilisation for ICMP floods
            1.2.3.2 Mobile device network participation
            1.2.3.3 Cloud resource compromise for attack scaling
            1.2.3.4 Coordinated attack timing for maximum impact
            
    1.3 Protocol-specific floods [OR]
    
        1.3.1 Neighbour solicitation storms
            1.3.1.1 NS message bombardment for cache exhaustion
            1.3.1.2 Address resolution flood attacks
            1.3.1.3 DAD (Duplicate Address Detection) process abuse
            1.3.1.4 Neighbour cache table exhaustion attacks
            
        1.3.2 Router advertisement flooding
            1.3.2.1 RA message storms for host configuration disruption
            1.3.2.2 Default router list exhaustion attacks
            1.3.2.3 Prefix information flood for address assignment disruption
            1.3.2.4 Parameter spoofing through malicious RAs
            
        1.3.3 MLD report exhaustion attacks
            1.3.3.1 Multicast listener report storms
            1.3.3.2 Group membership flood attacks
            1.3.3.3 Router state table exhaustion through rapid reports
            1.3.3.4 Query interval manipulation for amplified effects
            
    1.4 Amplification techniques [OR]
    
        1.4.1 Error message amplification
            1.4.1.1 Parameter problem message amplification
            1.4.1.2 Destination unreachable message exploitation
            1.4.1.3 Time exceeded amplification attacks
            1.4.1.4 Packet too big message exploitation
            
        1.4.2 Multicast amplification
            1.4.2.1 Multicast group amplification techniques
            1.4.2.2 MLD query amplification attacks
            1.4.2.3 Multicast router reflection attacks
            1.4.2.4 Scope-based amplification exploitation
            
    1.5 Resource exhaustion attacks [OR]
    
        1.5.1 CPU exhaustion through processing demands
            1.5.1.1 Complex ICMPv6 message processing attacks
            1.5.1.2 Extension header processing exhaustion
            1.5.1.3 Checksum verification load attacks
            1.5.1.4 State table maintenance exhaustion
            
        1.5.2 Memory consumption attacks
            1.5.2.1 Buffer allocation exhaustion through packet floods
            1.5.2.2 Neighbour cache memory exhaustion
            1.5.2.3 Routing table memory depletion
            1.5.2.4 Packet reassembly buffer exhaustion
            
    1.6 Network infrastructure targeting [OR]
    
        1.6.1 Router-specific attacks
            1.6.1.1 Control plane policing bypass attacks
            1.6.1.2 Routing protocol disruption through ICMP floods
            1.6.1.3 Forwarding plane exhaustion attacks
            1.6.1.4 Management interface targeting
            
        1.6.2 Firewall and security device targeting
            1.6.2.1 State table exhaustion through ICMP variations
            1.6.2.2 Deep packet inspection bypass through floods
            1.6.2.3 Rule processing exhaustion attacks
            1.6.2.4 Logging system overload through attack volume

Why it works

  • Protocol necessity: ICMP is essential for network operations and cannot be completely blocked without affecting functionality

  • Amplification potential: Certain ICMP messages can generate larger responses, creating amplification opportunities

  • Resource asymmetry: Attackers can leverage distributed resources that overwhelm target capacity

  • Spoofing capabilities: Source address spoofing makes attribution and blocking difficult

  • Protocol complexity: ICMPv6’s additional features create more attack vectors than ICMPv4

  • Default configurations: Many systems process ICMP packets by default without rate limiting

Mitigation

Rate limiting and traffic shaping

  • Action: Implement comprehensive rate limiting for ICMP traffic

  • How:

    • Configure router and firewall ICMP rate limiting policies

    • Implement quality of service (QoS) policies for ICMP traffic

    • Use traffic shaping to normalise ICMP packet rates

    • Deploy ICMP-specific rate limiters at network boundaries

  • Best practice: Implement hierarchical rate limiting at multiple network points

Filtering and access control

  • Action: Deploy strategic ICMP filtering and access controls

  • How:

    • Implement RFC 4890-compliant ICMPv6 filtering policies

    • Use access control lists to restrict unnecessary ICMP types

    • Deploy anti-spoofing measures (BCP 38/RFC 2827)

    • Implement geographic filtering for ICMP traffic where appropriate

  • Best practice: Default-deny approach for ICMP with explicit permitted types

Network architecture design

  • Action: Design networks to resist ICMP flood attacks

  • How:

    • Implement adequate bandwidth provisioning for attack absorption

    • Use redundant network paths for traffic diversion during attacks

    • Deploy scrubbing centres for attack mitigation

    • Design network segmentation to limit attack propagation

  • Best practice: Build networks with DDoS resistance as a design requirement

Monitoring and detection

  • Action: Implement comprehensive monitoring for ICMP flood detection

  • How:

    • Deploy flow monitoring with ICMP-specific analysis

    • Implement anomaly detection for ICMP traffic patterns

    • Use behavioural analysis to identify flood patterns

    • Establish baselines for normal ICMP traffic volumes

  • Best practice: Real-time monitoring with automated response capabilities

Cloud and service provider protections

  • Action: Leverage cloud and provider DDoS protection services

  • How:

    • Utilise cloud provider DDoS protection services

    • Implement anycast routing for attack distribution

    • Use content delivery networks for attack absorption

    • Deploy cloud-based scrubbing services

  • Best practice: Defence in depth with multiple protection layers

Key insights from real-world attacks

  • ICMP floods remain effective: Many organisations lack adequate ICMP flood protection

  • Amplification attacks increasing: Attackers increasingly use amplification techniques for larger impacts

  • IoT devices commonly exploited: Compromised IoT devices are frequently used in ICMP flood attacks

  • Multi-vector attacks common: ICMP floods often accompany other attack types

  • Increasing attack scale: ICMP flood volumes will continue to grow with available bandwidth

  • IPv6 attack expansion: IPv6-specific ICMP floods will become more prevalent

  • AI-enhanced attacks: Machine learning may be used to optimise flood patterns

  • 5G network impact: Higher bandwidth mobile networks will enable larger attacks

Conclusion

ICMP flood attacks represent a significant and evolving threat that leverages fundamental network protocols to cause service disruption. These attacks exploit the necessary nature of ICMP for network operations, making complete prevention challenging while allowing attackers to achieve substantial impacts through various techniques including direct flooding, spoofing, amplification, and resource exhaustion. Defence against ICMP flood attacks requires a multi-layered approach including rate limiting, filtering, network design considerations, comprehensive monitoring, and cloud-based protections. As attack techniques continue to evolve and available bandwidth increases, organisations must maintain vigilance and implement robust protection measures. The future of network security will require continuous adaptation to address the challenges posed by ICMP-based denial-of-service attacks while maintaining essential network functionality.