Three types of ICMP flood

The most characteristic of ICMP protocol is the nature of ICMP flood. In this regard, we will give a detailed introduction. See what forms of ICMP flood are available. Below are some simple examples to help you analyze them.

ICMP flood in different ways

1. Direct ICMP flood

The first condition to do this is that your bandwidth is sufficient, and then you need an easy-to-use ICMP flooder. do not use ping.exe to explore the path, for example, the AnGryPing I released earlier, the packet sending speed reaches 512-packets/second (Kbps ADSL). The default value is the 32 bytes ECHO packet flood. Even if it cannot be flood, the firewall is also miserable. direct attacks expose their own IP addresses (it doesn't matter if the other party does not have the ability to fight back. This Flood is not recommended for fixed IP users ), direct Flood is mainly used to take into account the defects that Win9x/Me cannot forge IP addresses. Otherwise, it is generally not a good choice.

Simple diagram:

ICMP

Attacker [IP = 211.97.54.3] ---------------> victim [intercept attacker IP = 211.97.54.3] ==> IP address change back to counterattack

2. Flood of forged IP addresses

If you are Win2000/XP and have Administrator permissions, you can try FakePing. It can forge an IP address to Flood at will, so that the other party cannot touch the mind. It is a relatively concealed and sinister ICMP Flood.

Simple diagram:

ICMP with forged IP address = 1.1.1.1

Attacker [IP = 211.97.54.3] ---------> victim [intercept attacker IP = 1.1.1.1] =>

3. Reflection

The "Smurf" Flood attack named after the first tool using this method improves the concealment level. In this attack mode, the flood that eventually drowned the target was not sent by attackers, nor by forged IP addresses, but by servers that normally communicate with each other!

The implementation principle is not complex. The Smurf method sets the source IP address as the victim IP address, and then sends ICMP packets (usually ECHO requests) to multiple servers. The servers that receive the packets are spoofed by the packets, return ECHO response (Type = 0) to the victim, leading to garbage blocking at the victim's door ......

It can be seen that it has a level-1 path more than the above two methods-the deceived host (called the "Reflection source"). Therefore, whether a reflection source is effective or inefficient, will affect the ICMP flood effect!

Simple diagram:

Counterfeit the victim's ICMP response

Attacker [IP = 211.97.54.3] ---------> normal host ------> victim [intercept attacker IP = ...... Netease?!] ==>

The above are several common ICMP flood methods. During the test, I found an interesting phenomenon: Some firewalls can only intercept ICMP packets from ECHO requests (Ping, for other ICMP messages, you should keep one eye closed. I don't know if this happens to other firewalls. so when you want to deal with your enemies without knowing how to deal with them, try to avoid direct ECHO Flood, and use ECHO response of Type = 0 or timestamp of Type = 14 for better response, other types of ICMP messages have not been tested in detail. You can try to see if the special messages with Type = 3, 4, and 11 are more effective.