Overview attacks on ICMP¶
Attack tree¶
This attack tree methodically catalogs the exploitation of ICMP and its IPv6 counterpart, ICMPv6, illustrating how these protocols can be weaponised for everything from stealthy reconnaissance and covert data exfiltration to disruptive denial-of-service attacks and sophisticated lateral movement within modern cloud and IoT environments.
1. Reconnaissance & Network Mapping [OR]
1.1 ICMP Echo Sweeping (Ping Sweep) [OR]
1.1.1 High-speed parallel scanning [OR]
1.1.1.1 Fping mass parallel ICMP probes
1.1.1.2 Masscan with ICMP-only mode
1.1.1.3 Zmap IPv6 ping6 sweeping
1.1.2 Stealth scanning techniques [OR]
1.1.2.1 Low-rate ICMP probes to evade detection
1.1.2.2 Randomised probe timing (jitter)
1.1.2.3 Source IP rotation through compromised hosts
1.1.3 Protocol variation scanning [OR]
1.1.3.1 ICMPv6 Node Information Queries
1.1.3.2 Multicast Listener Discovery spoofing
1.1.3.3 Neighbour Solicitation abuse
1.2 TTL Manipulation for OS Fingerprinting [AND]
1.2.1 TTL decay analysis [OR]
1.2.1.1 Initial TTL value fingerprinting
1.2.1.2 Hop count deduction from TTL decay
1.2.1.3 IPv6 hop limit pattern analysis
1.2.2 Advanced TTL probing [OR]
1.2.2.1 Multi-packet TTL correlation
1.2.2.2 TCP/UDP TTL bouncing
1.2.2.3 ICMP error message TTL analysis
1.2.3 Evasive fingerprinting [OR]
1.2.3.1 Fragmentated TTL probes
1.2.3.2 ICMP timestamp-based OS detection
1.2.3.3 IPv6 extension header manipulation
1.3 ICMP-based Service Discovery [OR]
1.3.1 Legacy ICMP exploitation [OR]
1.3.1.1 ICMP Timestamp Request abuse
1.3.1.2 ICMP Address Mask Request probing
1.3.1.3 Information Request exploitation
1.3.2 IPv6-specific discovery [OR]
1.3.2.1 ICMPv6 Router Solicitation scanning
1.3.2.2 Multicast Listener Discovery queries
1.3.2.3 Neighbour Advertisement spoofing
1.3.3 Cloud environment mapping [OR]
1.3.3.1 ICMP-based cloud provider identification
1.3.3.2 VPC/VNet boundary discovery
1.3.3.3 Container network mapping via ICMP
2. Data Exfiltration & Covert Channels [OR]
2.1 ICMP Tunneling [AND]
2.1.1 Payload encoding techniques [OR]
2.1.1.1 ICMP Echo payload data encoding
2.1.1.2 ICMPv6 option field exploitation
2.1.1.3 Checksum manipulation for data carrying
2.1.2 Tool-based tunneling [OR]
2.1.2.1 Icmptunnel IPv6-enabled tunneling
2.1.2.2 Ptunnel advanced ICMP tunneling
2.1.2.3 Custom ICMP proxy development
2.1.3 Evasion mechanisms [OR]
2.1.3.1 Traffic shaping to mimic legitimate ICMP
2.1.3.2 Multiple tunnel endpoint rotation
2.1.3.3 Encrypted payload encapsulation
2.2 Fragmented ICMP Exfiltration [OR]
2.2.1 IPv6 fragmentation abuse [OR]
2.2.1.1 IPv6 jumbogram exploitation
2.2.1.2 Fragment header manipulation
2.2.1.3 DPI evasion through fragment reassembly
2.2.2 Payload distribution techniques [OR]
2.2.2.1 Split payloads across multiple ICMP packets
2.2.2.2 Time-distributed fragment transmission
2.2.2.3 Geographic fragment distribution
2.2.3 Stealth fragmentation [OR]
2.2.3.1 Legitimate-looking fragment patterns
2.2.3.2 MTU discovery integration
2.2.3.3 ICMP error message fragmentation
2.3 DNS-over-ICMP (C2) [AND]
2.3.1 Protocol encapsulation [OR]
2.3.1.1 DNS query encoding in ICMP Echo
2.3.1.2 ICMPv6 Router Advertisement DNS injection
2.3.1.3 Neighbour Discovery option abuse
2.3.2 Malware integration [OR]
2.3.2.1 MosaicLoader-style ICMP callbacks
2.3.2.2 APT41 ICMP-based C2 channels
2.3.2.3 IoT botnet ICMP command systems
2.3.3 Evasive C2 techniques [OR]
2.3.3.1 Dynamic encoding algorithm rotation
2.3.3.2 Legitimate traffic mimicry
2.3.3.3 Multi-protocol fallback mechanisms
3. Denial-of-Service (DoS) & Amplification [OR]
3.1 ICMP Floods [OR]
3.1.1 Direct flood attacks [OR]
3.1.1.1 IPv6 ping6 high-volume floods
3.1.1.2 ICMPv6 parameter problem floods
3.1.1.3 Multicast listener report floods
3.1.2 Spoofed-source attacks [OR]
3.1.2.1 ICMPv6 spoofed-source floods
3.1.2.2 Reflection through compromised infrastructure
3.1.2.3 Botnet-based distributed flooding
3.1.3 Protocol-specific floods [OR]
3.1.3.1 Neighbour Solicitation storms
3.1.3.2 Router Advertisement flooding
3.1.3.3 MLD report exhaustion attacks
3.2 ICMP Amplification [AND]
3.2.1 Amplification vector exploitation [OR]
3.2.1.1 "Packet Too Big" message amplification
3.2.1.2 ICMPv6 error message reflection
3.2.1.3 MTU discovery amplification
3.2.2 Cloud infrastructure abuse [OR]
3.2.2.1 Misconfigured cloud router exploitation
3.2.2.2 Container network amplification
3.2.2.3 Serverless function reflection
3.2.3 High-gain amplification [OR]
3.2.3.1 IPv6 jumbogram amplification
3.2.3.2 Nested ICMP message exploitation
3.2.3.3 Multi-protocol chain amplification
3.3 Ping of Death (Modern Variants) [OR]
3.3.1 IPv6 jumbo frame attacks [OR]
3.3.1.1 IoT kernel jumbo frame exploitation
3.3.1.2 Router fragment reassembly attacks
3.3.1.3 Switch buffer exhaustion
3.3.2 Malformed packet attacks [OR]
3.3.2.1 ICMPv6 malformed extension headers
3.3.2.2 Checksum manipulation crashes
3.3.2.3 Option field corruption
3.3.3 Hardware-specific exploits [OR]
3.3.3.1 Network card firmware vulnerabilities
3.3.3.2 Switch ASIC handling vulnerabilities
3.3.3.3 IoT device stack corruption
4. Evasion & Protocol Abuse [OR]
4.1 NAT/Firewall Bypass [AND]
4.1.1 Callback mechanisms [OR]
4.1.1.1 ICMP Echo Reply callback channels
4.1.1.2 ICMPv6 informational message abuse
4.1.1.3 Router Solicitation callbacks
4.1.2 Whitelist exploitation [OR]
4.1.2.1 PMTUD (Path MTU Discovery) abuse
4.1.2.2 ICMP error message whitelist bypass
4.1.2.3 IPv6 required ICMPv6 type exploitation
4.1.3 Stateful firewall evasion [OR]
4.1.3.1 ICMP session table manipulation
4.1.3.2 Timeout exploitation for persistence
4.1.3.3 Fragment-based state table attacks
4.2 Lateral Movement via ICMP [OR]
4.2.1 Advanced persistent threat techniques [OR]
4.2.1.1 APT29-style internal C2 channels
4.2.1.2 APT41 ICMP-based lateral movement
4.2.1.3 Equation Group ICMP tradecraft
4.2.2 Authentication abuse [OR]
4.2.2.1 ICMP-based password spraying
4.2.2.2 Network service discovery via ICMP
4.2.2.3 Trust relationship exploitation
4.2.3 Container/cloud lateral movement [OR]
4.2.3.1 Kubernetes pod-to-pod ICMP tunnels
4.2.3.2 Cloud VPC ICMP-based traversal
4.2.3.3 Serverless function ICMP communication
4.3 ICMPv6 Router Advertisement Spoofing [AND]
4.3.1 Rogue RA attacks [OR]
4.3.1.1 Default gateway impersonation
4.3.1.2 DNS server injection via RAs
4.3.1.3 Route preference manipulation
4.3.2 Neighbour Discovery exploitation [OR]
4.3.2.1 Weak IPv6 neighbour discovery abuse
4.3.2.2 Duplicate Address Detection spoofing
4.3.2.3 Neighbour Cache poisoning
4.3.3 SLAAC attacks [OR]
4.3.3.1 IPv6 address configuration manipulation
4.3.3.2 Privacy extension exploitation
4.3.3.3 Temporary address collision attacks
5. Zero-Day & Hardware Exploits [OR]
5.1 ICMP Side-Channel Attacks [OR]
5.1.1 Microarchitectural attacks [OR]
5.1.1.1 NetSpectre-style timing leaks
5.1.1.2 Cache timing via ICMP response
5.1.1.3 Branch prediction influence
5.1.2 Cloud environment inference [OR]
5.1.2.1 VM placement inference via ICMP TTL
5.1.2.2 Container orchestration detection
5.1.2.3 Cloud provider fingerprinting
5.1.3 Network topology leakage [OR]
5.1.3.1 ICMP-based route inference
5.1.3.2 Load balancer detection
5.1.3.3 Network segmentation mapping
5.2 IoT/OT Device Crashes [AND]
5.2.1 Protocol stack exploitation [OR]
5.2.1.1 Malformed ICMPv6 to embedded devices
5.2.1.2 Resource exhaustion through ICMP
5.2.1.3 Firmware bug triggers (CVE-2020-10148)
5.2.2 Industrial system targeting [OR]
5.2.2.1 SCADA system ICMP vulnerabilities
5.2.2.2 PLC ICMP stack corruption
5.2.2.3 OT network protocol attacks
5.2.3 Supply chain vulnerabilities [OR]
5.2.3.1 Vendor-specific ICMP implementations
5.2.3.2 Custom protocol stack exploits
5.2.3.3 Legacy system compatibility attacks
5.3 Cloud Metadata Service Abuse [OR]
5.3.1 IMDS exploitation [OR]
5.3.1.1 ICMP-based IMDSv1 queries (AWS)
5.3.1.2 Instance metadata service discovery
5.3.1.3 Cloud credential harvesting
5.3.2 Serverless SSRF attacks [OR]
5.3.2.1 ICMP-triggered serverless SSRF
5.3.2.2 Container metadata service access
5.3.2.3 Kubernetes API server targeting
5.3.3 Cloud network reconnaissance [OR]
5.3.3.1 VPC metadata discovery via ICMP
5.3.3.2 Cloud security group mapping
5.3.3.3 Service endpoint discovery
6. AI/ML-Enhanced ICMP Attacks [OR]
6.1 Adaptive Evasion Techniques [AND]
6.1.1 Machine learning-based timing [OR]
6.1.1.1 Reinforcement learning for probe timing
6.1.1.2 Neural network-based traffic shaping
6.1.1.3 Generative adversarial network evasion
6.1.2 Behavioural mimicry [OR]
6.1.2.1 Legitimate ICMP traffic generation
6.1.2.2 Network monitoring system spoofing
6.1.2.3 Anomaly detection bypass
6.1.3 Dynamic protocol manipulation [OR]
6.1.3.1 AI-generated ICMP payloads
6.1.3.2 Adaptive checksum manipulation
6.1.3.3 Intelligent fragment distribution
6.2 Autonomous Attack Systems [OR]
6.2.1 Self-learning C2 channels [OR]
6.2.1.1 AI-managed ICMP tunneling
6.2.1.2 Autonomous protocol switching
6.2.1.3 Adaptive encoding techniques
6.2.2 Intelligent reconnaissance [OR]
6.2.2.1 ML-powered network mapping
6.2.2.2 Predictive topology analysis
6.2.2.3 Automated vulnerability identification
6.2.3 Coordinated attack campaigns [OR]
6.2.3.1 Multi-vector ICMP attack coordination
6.2.3.2 Swarm intelligence for DDoS
6.2.3.3 Distributed learning for evasion
7. Defensive Bypass & Anti-Forensics [OR]
7.1 Forensic Evasion Techniques [OR]
7.1.1 Log manipulation [OR]
7.1.1.1 ICMP log entry spoofing
7.1.1.2 Security system log poisoning
7.1.1.3 Forensic timeline manipulation
7.1.2 Evidence destruction [OR]
7.1.2.1 ICMP-based log deletion triggers
7.1.2.2 Network device configuration erasure
7.1.2.3 Forensic tool interference
7.1.3 Attribution obfuscation [OR]
7.1.3.1 False flag ICMP campaigns
7.1.3.2 Source address manipulation
7.1.3.3 Geographic obfuscation
7.2 Security Control Bypass [OR]
7.2.1 IDS/IPS evasion [OR]
7.2.1.1 ICMP signature avoidance
7.2.1.2 Behavioral analysis bypass
7.2.1.3 Machine learning model poisoning
7.2.2 Network segmentation bypass [OR]
7.2.2.1 ICMP-based segment hopping
7.2.2.2 Firewall rule exploitation
7.2.2.3 VLAN hopping via ICMP
7.2.3 Cloud security bypass [OR]
7.2.3.1 Security group rule exploitation
7.2.3.2 Cloud firewall ICMP abuse
7.2.3.3 Container security policy evasion
Nitty gritty risk table¶
Attack Path |
Technical Complexity |
Resources Required |
Risk Level |
Notes |
---|---|---|---|---|
1.1.1.1 Fping mass parallel ICMP probes |
Low |
Low |
Low |
Simple to execute with open-source tools; effective for quick host discovery. |
1.1.1.2 Masscan with ICMP-only mode |
Low |
Low |
Low |
High-speed scanning; requires minimal resources but may trigger alarms. |
1.1.1.3 Zmap IPv6 ping6 sweeping |
Medium |
Low |
Medium |
IPv6-specific; requires knowledge of IPv6 addressing but efficient for large networks. |
1.1.2.1 Low-rate ICMP probes to evade detection |
Medium |
Low |
Medium |
Stealthy approach; requires timing control to avoid IDS thresholds. |
1.1.2.2 Randomised probe timing (jitter) |
Medium |
Low |
Medium |
Adds variability to avoid pattern detection; simple to implement. |
1.1.2.3 Source IP rotation through compromised hosts |
High |
Medium |
High |
Uses botnets or proxies; increases anonymity but requires existing compromises. |
1.1.3.1 ICMPv6 Node Information Queries |
High |
Low |
Medium |
IPv6-specific reconnaissance; can reveal host details without full scans. |
1.1.3.2 Multicast Listener Discovery spoofing |
High |
Medium |
High |
Targets IPv6 multicast groups; can map listeners and services. |
1.1.3.3 Neighbour Solicitation abuse |
High |
Low |
Medium |
Exploits IPv6 Neighbour Discovery Protocol; effective for local network mapping. |
1.2.1.1 Initial TTL value fingerprinting |
Low |
Low |
Low |
Basic OS detection; relies on default TTL values but easily automated. |
1.2.1.2 Hop count deduction from TTL decay |
Medium |
Low |
Medium |
Estimates network topology; requires analysis but low resource cost. |
1.2.1.3 IPv6 hop limit pattern analysis |
Medium |
Low |
Medium |
IPv6 variant; similar to TTL but with hop limit field. |
1.2.2.1 Multi-packet TTL correlation |
High |
Low |
Medium |
Advanced technique to improve accuracy; requires multiple probes. |
1.2.2.2 TCP/UDP TTL bouncing |
High |
Medium |
High |
Uses ancillary protocols for evasion; complex but stealthy. |
1.2.2.3 ICMP error message TTL analysis |
High |
Low |
Medium |
Analyses error responses; can reveal paths and devices. |
1.2.3.1 Fragmentated TTL probes |
High |
Low |
High |
Uses fragmentation to evade filters; may be blocked in modern networks. |
1.2.3.2 ICMP timestamp-based OS detection |
Medium |
Low |
Medium |
Leverages timestamp requests; less common but still effective. |
1.2.3.3 IPv6 extension header manipulation |
Very High |
Medium |
High |
Advanced IPv6 exploitation; requires deep protocol knowledge. |
1.3.1.1 ICMP Timestamp Request abuse |
Low |
Low |
Low |
Legacy technique; rarely used but can provide host information. |
1.3.1.2 ICMP Address Mask Request probing |
Low |
Low |
Low |
Obsolete in modern networks but may work on older systems. |
1.3.1.3 Information Request exploitation |
Low |
Low |
Low |
Historical protocol feature; unlikely to be supported nowadays. |
1.3.2.1 ICMPv6 Router Solicitation scanning |
Medium |
Low |
Medium |
IPv6-specific; can discover routers and network parameters. |
1.3.2.2 Multicast Listener Discovery queries |
Medium |
Low |
Medium |
Maps multicast services; useful for service discovery. |
1.3.2.3 Neighbour Advertisement spoofing |
High |
Low |
High |
Can poison IPv6 caches; leads to MITM or DoS. |
1.3.3.1 ICMP-based cloud provider identification |
Medium |
Low |
Medium |
Uses TTL or response patterns to identify cloud environments. |
1.3.3.2 VPC/VNet boundary discovery |
High |
Low |
High |
Maps cloud network boundaries; valuable for lateral movement. |
1.3.3.3 Container network mapping via ICMP |
High |
Low |
High |
Targets containerised environments; can escape network segments. |
2.1.1.1 ICMP Echo payload data encoding |
Medium |
Low |
Medium |
Simple tunneling; hides data in ping packets but detectable with deep inspection. |
2.1.1.2 ICMPv6 option field exploitation |
High |
Low |
High |
Uses IPv6 extension headers; more stealthy but complex to implement. |
2.1.1.3 Checksum manipulation for data carrying |
High |
Low |
High |
Alters checksums to encode data; evades basic checks but risky for reliability. |
2.1.2.1 Icmptunnel IPv6-enabled tunneling |
Medium |
Low |
Medium |
Open-source tool; easy to use but well-known and detectable. |
2.1.2.2 Ptunnel advanced ICMP tunneling |
High |
Low |
High |
More advanced than Icmptunnel; supports encryption and evasion. |
2.1.2.3 Custom ICMP proxy development |
Very High |
High |
Very High |
Tailored to specific environments; highly stealthy but requires development effort. |
2.1.3.1 Traffic shaping to mimic legitimate ICMP |
High |
Medium |
High |
Blends with normal ICMP traffic; difficult to detect without behavioural analysis. |
2.1.3.2 Multiple tunnel endpoint rotation |
High |
Medium |
High |
Changes endpoints to avoid blacklisting; requires infrastructure. |
2.1.3.3 Encrypted payload encapsulation |
Very High |
Medium |
Very High |
Adds encryption to tunneling; prevents content inspection but may attract attention. |
2.2.1.1 IPv6 jumbogram exploitation |
Very High |
Low |
High |
Uses large IPv6 packets for data transfer; may be blocked or misconfigured. |
2.2.1.2 Fragment header manipulation |
High |
Low |
High |
Alters fragmentation for evasion; complex and prone to failure. |
2.2.1.3 DPI evasion through fragment reassembly |
Very High |
Low |
Very High |
Bypasses deep packet inspection; requires precise timing and packet crafting. |
2.2.2.1 Split payloads across multiple ICMP packets |
Medium |
Low |
Medium |
Simple data distribution; inefficient but avoids size thresholds. |
2.2.2.2 Time-distributed fragment transmission |
High |
Low |
High |
Spreads packets over time to evade detection; requires patience. |
2.2.2.3 Geographic fragment distribution |
Very High |
High |
Very High |
Uses diverse paths; hard to trace but needs global infrastructure. |
2.2.3.1 Legitimate-looking fragment patterns |
High |
Low |
High |
Mimics normal traffic; effective against simple filters. |
2.2.3.2 MTU discovery integration |
High |
Low |
High |
Exploits path MTU discovery; blends with legitimate network operations. |
2.2.3.3 ICMP error message fragmentation |
Very High |
Low |
Very High |
Rarely monitored; highly stealthy but technically complex. |
2.3.1.1 DNS query encoding in ICMP Echo |
Medium |
Low |
Medium |
Hides DNS in ICMP; bypasses DNS monitoring but detectable with analysis. |
2.3.1.2 ICMPv6 Router Advertisement DNS injection |
High |
Low |
High |
Targets IPv6 autoconfiguration; can redirect or poison DNS. |
2.3.1.3 Neighbour Discovery option abuse |
High |
Low |
High |
Uses IPv6 ND for C2; stealthy but requires local network access. |
2.3.2.1 MosaicLoader-style ICMP callbacks |
High |
Medium |
High |
Real-world malware technique; effective for persistent C2. |
2.3.2.2 APT41 ICMP-based C2 channels |
Very High |
High |
Very High |
Advanced threat actor tactic; highly evasive and persistent. |
2.3.2.3 IoT botnet ICMP command systems |
Medium |
Low |
High |
Common in IoT attacks; low cost but scalable. |
2.3.3.1 Dynamic encoding algorithm rotation |
High |
Medium |
High |
Changes encoding to avoid signatures; requires advanced C2 infrastructure. |
2.3.3.2 Legitimate traffic mimicry |
Very High |
Medium |
Very High |
Mimics common ICMP patterns; extremely hard to detect. |
2.3.3.3 Multi-protocol fallback mechanisms |
Very High |
High |
Very High |
Switches protocols if blocked; ensures reliability but complex to implement. |
3.1.1.1 IPv6 ping6 high-volume floods |
Low |
High |
High |
Simple but effective; requires high bandwidth for impact. |
3.1.1.2 ICMPv6 parameter problem floods |
Medium |
Medium |
High |
Targets IPv6 stacks; can cause devices to crash or slow down. |
3.1.1.3 Multicast listener report floods |
High |
Medium |
High |
Swamps multicast networks; disruptive to multicast-dependent services. |
3.1.2.1 ICMPv6 spoofed-source floods |
Medium |
High |
High |
Hides source; amplifies impact but requires bandwidth. |
3.1.2.2 Reflection through compromised infrastructure |
High |
High |
Very High |
Uses third-party systems; increases scale and anonymity. |
3.1.2.3 Botnet-based distributed flooding |
Medium |
High |
Very High |
Leverages botnets; high impact and hard to mitigate. |
3.1.3.1 Neighbour Solicitation storms |
High |
Medium |
High |
Targets IPv6 networks; can exhaust resources or cause MITM. |
3.1.3.2 Router Advertisement flooding |
High |
Medium |
High |
Spams RAs; disrupts network configuration and stability. |
3.1.3.3 MLD report exhaustion attacks |
High |
Medium |
High |
Floods Multicast Listener Discovery; impacts multicast routing. |
3.2.1.1 “Packet Too Big” message amplification |
High |
Medium |
High |
Amplifies attacks using ICMP errors; can achieve high gain. |
3.2.1.2 ICMPv6 error message reflection |
High |
Medium |
High |
Reflects attacks through misconfigured devices; hides source. |
3.2.1.3 MTU discovery amplification |
Very High |
Medium |
Very High |
Exploits MTU discovery process; complex but potent. |
3.2.2.1 Misconfigured cloud router exploitation |
Medium |
Low |
High |
Uses cloud routers reflectors; easy if misconfigurations exist. |
3.2.2.2 Container network amplification |
High |
Medium |
High |
Targets container networks; can scale within cloud environments. |
3.2.2.3 Serverless function reflection |
High |
Low |
High |
Abuses serverless platforms; low cost and highly scalable. |
3.2.3.1 IPv6 jumbogram amplification |
Very High |
High |
Very High |
Uses large packets for amplification; requires jumbogram support. |
3.2.3.2 Nested ICMP message exploitation |
Very High |
High |
Very High |
Crafts complex ICMP structures; rare and highly impactful. |
3.2.3.3 Multi-protocol chain amplification |
Very High |
High |
Very High |
Combines multiple protocols; maximum amplification but technically complex. |
3.3.1.1 IoT kernel jumbo frame exploitation |
High |
Low |
High |
Crashes IoT devices; effective due to poor stack implementations. |
3.3.1.2 Router fragment reassembly attacks |
High |
Low |
High |
Overwhelms reassembly buffers; causes crashes or resource exhaustion. |
3.3.1.3 Switch buffer exhaustion |
Medium |
Low |
Medium |
Floods switches with fragments; disrupts network performance. |
3.3.2.1 ICMPv6 malformed extension headers |
Very High |
Low |
High |
Targets IPv6 stack parsing; can lead to crashes or code execution. |
3.3.2.2 Checksum manipulation crashes |
High |
Low |
High |
Invalid checksums cause stack errors; unpredictable results. |
3.3.2.3 Option field corruption |
High |
Low |
High |
Corrupts ICMP options; may exploit specific vulnerabilities. |
3.3.3.1 Network card firmware vulnerabilities |
Very High |
High |
Very High |
Rare and valuable; can persist across reboots. |
3.3.3.2 Switch ASIC handling vulnerabilities |
Very High |
High |
Very High |
Hardware-level exploits; devastating but require specific expertise. |
3.3.3.3 IoT device stack corruption |
High |
Low |
High |
Common due to poor coding; easily automated for large-scale attacks. |
4.1.1.1 ICMP Echo Reply callback channels |
Medium |
Low |
Medium |
Simple callback mechanism; detectable if outgoing ICMP is monitored. |
4.1.1.2 ICMPv6 informational message abuse |
High |
Low |
High |
Uses less-common ICMPv6 types; often allowed through firewalls. |
4.1.1.3 Router Solicitation callbacks |
High |
Low |
High |
Leverages IPv6 autoconfiguration; stealthy and effective. |
4.1.2.1 PMTUD (Path MTU Discovery) abuse |
High |
Low |
High |
Exploits necessary ICMP messages; often whitelisted and trusted. |
4.1.2.2 ICMP error message whitelist bypass |
Medium |
Low |
Medium |
Uses allowed ICMP types; simple but depends on firewall rules. |
4.1.2.3 IPv6 required ICMPv6 type exploitation |
High |
Low |
High |
Targets essential IPv6 operations; hard to block without breaking functionality. |
4.1.3.1 ICMP session table manipulation |
High |
Low |
High |
Exhausts state tables; can bypass stateful firewalls. |
4.1.3.2 Timeout exploitation for persistence |
Medium |
Low |
Medium |
Keeps sessions open longer; evades timeout-based cleanup. |
4.1.3.3 Fragment-based state table attacks |
High |
Low |
High |
Uses fragments to confuse stateful devices; complex but effective. |
4.2.1.1 APT29-style internal C2 channels |
Very High |
High |
Very High |
Advanced persistent threat tactic; highly stealthy and persistent. |
4.2.1.2 APT41 ICMP-based lateral movement |
Very High |
High |
Very High |
Real-world example; uses ICMP for internal propagation. |
4.2.1.3 Equation Group ICMP tradecraft |
Very High |
High |
Very High |
Nation-state level; sophisticated and hard to detect. |
4.2.2.1 ICMP-based password spraying |
Medium |
Low |
Medium |
Uses ICMP to deliver spray attacks; evades traditional security controls. |
4.2.2.2 Network service discovery via ICMP |
Medium |
Low |
Medium |
Finds services without port scans; stealthy but limited to ICMP-accessible info. |
4.2.2.3 Trust relationship exploitation |
High |
Low |
High |
Uses ICMP to traverse trust boundaries; requires prior knowledge. |
4.2.3.1 Kubernetes pod-to-pod ICMP tunnels |
High |
Low |
High |
Escapes container isolation; effective in cloud environments. |
4.2.3.2 Cloud VPC ICMP-based traversal |
High |
Low |
High |
Moves between cloud segments; leverages allowed ICMP traffic. |
4.2.3.3 Serverless function ICMP communication |
High |
Low |
High |
Uses ICMP for inter-function communication; hard to monitor. |
4.3.1.1 Default gateway impersonation |
High |
Low |
High |
Rogue RAs mimic gateways; leads to MITM or traffic interception. |
4.3.1.2 DNS server injection via RAs |
High |
Low |
High |
Injects malicious DNS through RAs; can redirect traffic or steal data. |
4.3.1.3 Route preference manipulation |
Medium |
Low |
Medium |
Alters route preferences; influences traffic paths subtly. |
4.3.2.1 Weak IPv6 neighbour discovery abuse |
High |
Low |
High |
Exploits insecure ND implementations; common in legacy networks. |
4.3.2.2 Duplicate Address Detection spoofing |
High |
Low |
High |
Prevents legitimate addresses from being used; causes DoS or takeover. |
4.3.2.3 Neighbour Cache poisoning |
High |
Low |
High |
Corrupts ARP-like caches in IPv6; facilitates MITM attacks. |
4.3.3.1 IPv6 address configuration manipulation |
High |
Low |
High |
Alters SLAAC assignments; can assign addresses for MITM. |
4.3.3.2 Privacy extension exploitation |
High |
Low |
High |
Predicts or influences temporary addresses; undermines privacy. |
4.3.3.3 Temporary address collision attacks |
High |
Low |
High |
Causes address conflicts; disrupts communication or enables takeover. |
5.1.1.1 NetSpectre-style timing leaks |
Very High |
Medium |
Very High |
Remote side-channel attack; requires high precision and analysis. |
5.1.1.2 Cache timing via ICMP response |
Very High |
Medium |
Very High |
Measures response times to infer cache state; complex and slow. |
5.1.1.3 Branch prediction influence |
Very High |
High |
Very High |
Affects CPU branch prediction; theoretical but potentially devastating. |
5.1.2.1 VM placement inference via ICMP TTL |
High |
Low |
Medium |
Deduces cloud infrastructure; useful for targeting specific instances. |
5.1.2.2 Container orchestration detection |
High |
Low |
Medium |
Identifies Kubernetes or similar; helps in containerised attacks. |
5.1.2.3 Cloud provider fingerprinting |
Medium |
Low |
Low |
Uses TTL or other traits to identify providers; low risk but informative. |
5.1.3.1 ICMP-based route inference |
High |
Low |
Medium |
Maps network paths; valuable for reconnaissance. |
5.1.3.2 Load balancer detection |
Medium |
Low |
Medium |
Identifies load balancers via TTL or response patterns. |
5.1.3.3 Network segmentation mapping |
High |
Low |
High |
Uses ICMP to deduce network segments; aids in lateral movement. |
5.2.1.1 Malformed ICMPv6 to embedded devices |
High |
Low |
High |
Crashes or compromises IoT devices; common due to weak stacks. |
5.2.1.2 Resource exhaustion through ICMP |
Medium |
Low |
Medium |
Floods devices with ICMP; causes DoS or instability. |
5.2.1.3 Firmware bug triggers (CVE-2020-10148) |
Medium |
Low |
High |
Exploits known vulnerabilities; easily automated for large-scale attacks. |
5.2.2.1 SCADA system ICMP vulnerabilities |
High |
Low |
Very High |
Targets industrial systems; can cause physical disruptions. |
5.2.2.2 PLC ICMP stack corruption |
High |
Low |
Very High |
Programmable Logic Controllers often have weak networks stacks. |
5.2.2.3 OT network protocol attacks |
Very High |
Medium |
Very High |
Operational Technology focus; requires specialised knowledge. |
5.2.3.1 Vendor-specific ICMP implementations |
High |
Low |
High |
Exploits custom firmware; effective against niche devices. |
5.2.3.2 Custom protocol stack exploits |
Very High |
High |
Very High |
Targets proprietary stacks; valuable zero-days. |
5.2.3.3 Legacy system compatibility attacks |
Medium |
Low |
Medium |
Exploits old systems still in use; low hanging fruit. |
5.3.1.1 ICMP-based IMDSv1 queries (AWS) |
Medium |
Low |
High |
Accesses cloud metadata; can lead to credential theft. |
5.3.1.2 Instance metadata service discovery |
Medium |
Low |
Medium |
Finds metadata services; reconnaissance step for further attacks. |
5.3.1.3 Cloud credential harvesting |
High |
Low |
Very High |
Steals credentials via metadata; devastating for cloud security. |
5.3.2.1 ICMP-triggered serverless SSRF |
High |
Low |
High |
Uses ICMP to induce serverless SSRF; bypasses common guards. |
5.3.2.2 Container metadata service access |
High |
Low |
High |
Targets container metadata; similar to cloud instance attacks. |
5.3.2.3 Kubernetes API server targeting |
High |
Low |
Very High |
Compromises K8s API via metadata; cluster-wide impact. |
5.3.3.1 VPC metadata discovery via ICMP |
Medium |
Low |
Medium |
Maps cloud network metadata; reconnaissance for lateral movement. |
5.3.3.2 Cloud security group mapping |
High |
Low |
High |
Uses ICMP responses to deduce firewall rules. |
5.3.3.3 Service endpoint discovery |
Medium |
Low |
Medium |
Finds cloud services; helps in targeting critical assets. |
6.1.1.1 Reinforcement learning for probe timing |
Very High |
High |
Very High |
AI-driven evasion; adapts to network conditions for stealth. |
6.1.1.2 Neural network-based traffic shaping |
Very High |
High |
Very High |
Generates traffic patterns that mimic legitimate behaviour. |
6.1.1.3 Generative adversarial network evasion |
Very High |
High |
Very High |
Uses GANs to create evasive traffic; cutting-edge and highly effective. |
6.1.2.1 Legitimate ICMP traffic generation |
High |
Medium |
High |
AI generates realistic ICMP; bypasses behavioural analysis. |
6.1.2.2 Network monitoring system spoofing |
Very High |
High |
Very High |
Tricks monitoring tools; requires deep knowledge of defence systems. |
6.1.2.3 Anomaly detection bypass |
Very High |
High |
Very High |
AI learns and avoids detection thresholds; persistent evasion. |
6.1.3.1 AI-generated ICMP payloads |
Very High |
High |
Very High |
Creates optimised payloads for specific targets or goals. |
6.1.3.2 Adaptive checksum manipulation |
Very High |
High |
Very High |
AI adjusts checksums to evade inspection while maintaining functionality. |
6.1.3.3 Intelligent fragment distribution |
Very High |
High |
Very High |
AI decides fragment timing and size for maximum stealth. |
6.2.1.1 AI-managed ICMP tunneling |
Very High |
High |
Very High |
Autonomous C2 channels that adapt and evolve. |
6.2.1.2 Autonomous protocol switching |
Very High |
High |
Very High |
Switches between protocols based on network conditions. |
6.2.1.3 Adaptive encoding techniques |
Very High |
High |
Very High |
AI changes encoding in real-time to avoid detection. |
6.2.2.1 ML-powered network mapping |
Very High |
High |
Very High |
Rapid, intelligent reconnaissance with minimal footprint. |
6.2.2.2 Predictive topology analysis |
Very High |
High |
Very High |
AI predicts network structures for better targeting. |
6.2.2.3 Automated vulnerability identification |
Very High |
High |
Very High |
AI scans for and exploits weaknesses without human intervention. |
6.2.3.1 Multi-vector ICMP attack coordination |
Very High |
High |
Very High |
Coordinates different ICMP attacks for compounded effect. |
6.2.3.2 Swarm intelligence for DDoS |
Very High |
High |
Very High |
Botnet-like coordination using AI for efficient DDoS. |
6.2.3.3 Distributed learning for evasion |
Very High |
High |
Very High |
AI nodes share learning to improve evasion across the network. |
7.1.1.1 ICMP log entry spoofing |
High |
Low |
High |
Fakes log entries to mislead investigators. |
7.1.1.2 Security system log poisoning |
High |
Low |
High |
Corrupts logs with false data; undermines forensic analysis. |
7.1.1.3 Forensic timeline manipulation |
Very High |
Medium |
Very High |
Alters timestamps to confuse event reconstruction. |
7.1.2.1 ICMP-based log deletion triggers |
High |
Low |
High |
Uses ICMP to signal log deletion; hard to trace. |
7.1.2.2 Network device configuration erasure |
High |
Low |
Very High |
Erases configs via ICMP; causes persistent damage. |
7.1.2.3 Forensic tool interference |
Very High |
High |
Very High |
Disrupts forensic tools with specially crafted ICMP. |
7.1.3.1 False flag ICMP campaigns |
High |
Medium |
High |
Frames other entities; misdirects attribution. |
7.1.3.2 Source address manipulation |
Medium |
Low |
Medium |
Spoofs sources; common but less effective with modern tracing. |
7.1.3.3 Geographic obfuscation |
High |
Medium |
High |
Routes through multiple countries; complicates legal response. |
7.2.1.1 ICMP signature avoidance |
Medium |
Low |
Medium |
Modifies packets to avoid IDS signatures; simple but effective. |
7.2.1.2 Behavioral analysis bypass |
Very High |
High |
Very High |
Uses AI or advanced techniques to mimic normal behaviour. |
7.2.1.3 Machine learning model poisoning |
Very High |
High |
Very High |
Corrupts defensive AI models; sophisticated and damaging. |
7.2.2.1 ICMP-based segment hopping |
High |
Low |
High |
Uses ICMP to move between network segments. |
7.2.2.2 Firewall rule exploitation |
Medium |
Low |
Medium |
Finds and uses allowed ICMP rules to bypass filters. |
7.2.2.3 VLAN hopping via ICMP |
High |
Low |
High |
Leverages ICMP in VLAN environments; rare but possible. |
7.2.3.1 Security group rule exploitation |
Medium |
Low |
Medium |
Uses overly permissive cloud rules; common misconfiguration. |
7.2.3.2 Cloud firewall ICMP abuse |
Medium |
Low |
Medium |
Exploits cloud firewall defaults for ICMP. |
7.2.3.3 Container security policy evasion |
High |
Low |
High |
Bypasses container policies using ICMP; effective in Kubernetes. |