Wondering how to mitigate ICMP Flood Attack? We can help you.

Ping flood, also known as ICMP flood, is a common Denial of Service (DoS) attack in which an attacker takes down a victim’s computer by overwhelming it with ICMP echo requests, also known as pings.

When the attack traffic comes from multiple devices, the attack becomes a DDoS attack.

Here at Bobcares, we often handle such DDoS attacks as apart of our Server Management Services.

Today let’s see the steps our Support Techs follow to mitigate this.

How does a Ping flood attack or ICMP Flood Attack work?

The Internet Control Message Protocol (ICMP) utilized during a Ping Flood attack, is an internet layer protocol used by network devices to communicate with each other.

Generally, ICMP uses echo-request and echo-reply messages to ping a network device. This is for checking the health and connectivity of the device and the connection between the sender and the device.

An ICMP request requires some server resources to process each request and to send a response. The request also requires bandwidth on both the incoming message (echo-request) and outgoing response (echo-reply).

The Ping Flood attack influences the targeted device’s ability to respond to the high number of requests. This, in turn, overloads the network connection with huge traffic.

The DDoS form of a Ping (ICMP) Flood can be split into the following steps:

1. Attacker sends many ICMP echo request packets to the target server using multiple devices.
2. The targeted server then sends an ICMP echo reply packet to each requesting device’s IP address as a response.

The damaging effect of a Ping Flood is directly proportional to the number of requests made to the targeted server. Ping Flood attack traffic is symmetrical.

How to mitigate ICMP Flood Attack?

Following are the ways in which we can mitigate ICMP flood attack.

1. Disabling ICMP functionality

Firstly we can try disabling a ping flood can be accomplished by disabling the ICMP functionality of the targeted router, computer, or other devices.

We can do this by accessing the administrative interface of the device and disable its ability to send and receive any requests using the ICMP.

We must keep in mind that all network activities involving ICMP will get disabled. This will make the device unresponsive to ping requests, traceroute requests, and other network activities.

2. Limiting the processing of incoming ICMP messages

Another approach to combating ICMP attacks is to rate-limit the processing of incoming ICMP messages.

This can be commonly done using Iptables. Here we will set 1 ping per second as it is plenty for legitimate uses.

We can use the following commands:

iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT

[Need assistance? We are happy to help you]

Conclusion

In short, we saw how the ICMP flood attack works, along with the ways which our Support Techs follow to mitigate this.