ICMP Ping (Type 8) Flood

ICMP Floods are DDoS attacks aimed at consuming computing power and saturating bandwidth. ICMP Floods are generally spoofed attacks and normally come at a very high rate, they are effectively echo requests, that may illicit echo responses (ICMP Type 0).

ICMP Floods, if not dropped by DDoS mitigation devices on the perimeter, may overwhelm the internal network architecture; this flood may also generate outgoing traffic due to answers for the echo request.  Generally this flood is used as a basic but effective flood to bring down perimeter devices or saturate bandwidth.

Technical Analysis

As seen in the Image 1 an ICMP Flood of type 8 consists of a high volume of ICMP Echo packets. These packets have a source IP (which is normally spoofed to reduce the effect of IP reputation mechanisms) and the destination IP of the victim.

“Image 1: The IP of the attacker and the victim”

As shown in Image 2 the packet is an ICMP type 8 packet (Echo request).

“Image 2: ICMP type 8, Additional Information”

Analysis of ICMP (Type 8) Flood in Wireshark – Filters:

To filter only icmp packet you can simply use the “icmp” filter. To specifically filter ICMP Echo requests you can use “icmp.type == 8”. If you see many such requests coming within a short time frame, you could be under an ICMP (Type 8) Flood attack.

Download example PCAP of ICMP (Type 8) Flood:

*Note: IP’s have been randomized to ensure privacy.

Download an ICMP (Type 8) Flood PCAP