ICMP Floods are DDoS attacks aimed at consuming computing power and saturating bandwidth. ICMP Floods are generally spoofed attacks and normally come at a very high rate. Time Exceeded ICMP Floods, if not dropped by DDoS mitigation devices on the perimeter, may overwhelm the internal network architecture. This type of ICMP packet is usually a response, but because the protocol is not stateful, some mitigation devices might let this packet into the internal network. Generally, this flood is used as a basic but effective flood to bring down perimeter devices or saturate bandwidth.
As seen in the Image 1 an ICMP Flood of type 3 consists of a high volume of ICMP Destination Unreachable packets. These packets have a source IP (which is normally spoofed to reduce the effect of IP reputation mechanisms) and the destination IP of the victim.
“Image 1: The IP of the attacker and the victim”
As shown in Image 2 the packet is an ICMP type 3 packet (Time Exceeded).
“Image 2: ICMP type 3, Additional Information”
Analysis of ICMP (Type 3) Flood in Wireshark – Filters:
To filter only icmp packet you can simply use the “icmp” filter. To specifically filter ICMP Destination Unreachable responses you can use “icmp.type == 3”. If you see many such requests coming within a short time frame, you could be under an ICMP Destination Unreachable (Type 3) Flood attack.
Download example PCAP of ICMP Destination Unreachable (Type 3) Flood:
*Note IP’s have been randomized to ensure privacy.
Download an ICMP Destination Unreachable (Type 3) Flood PCAP