ICMP (Internet Control Message Protocol)

Hello David

Indeed, ICMP can be leveraged for various attacks including ping flood, ping of death, ICMP smurf attacks, ICMP redirect attacks, and various others. Most of these are DoS attacks. In any case, they all exploit ICMP’s fundamental mechanisms and features for malicious purposes.

There are various ways to deal with these, but arguably the most effective (and simplest to employ) is to disable responses to ICMP completely. You will often see this approach on routers that are found on the Internet. If you have done a traceroute to a destination on the Internet, you will see that some hops along the way don’t respond. This is because they have been configured not to respond to ICMP messages for security reasons.

Now this solution is not always preferable for the reasons you stated in your post. Ping and traceroute are valuable utilities for troubleshooting networks. So there are two primary approaches:

  1. If you choose to disable ICMP completely, then you must use other methods to troubleshoot. This can include using tools like:
    • traceroute with TCP or UDP - On Linux for example, the traceroute command by default uses UDP, not ICMP. You can use traceroute -T which will conduct a “traceroute-like procedure” using TCP instead.
      *TCP and UDP port scans can also be used to determine if devices are active and listening to those particular ports
    • On a local network, you can use ARP to find the MAC address associated with a particular IP address, and thus you can also identify which devices are currently active on the local network.
    • Monitoring tools - Using SNMP, Netflow, or other network monitoring tools and protocols, you can determine device connectivity without using ICMP.
    • Other options include using DNS queries, SSH, Telnet, and application-level health checks.
  2. The other approach is to not disable ICMP but to implement strategies that will help mitigate the risks associated with ICMP while still maintaining its benefits. THis approach can include:
    • Selectively filtering ICMP traffic based on ICMP message types and geographical blocking of particular IP addresses
    • Rate limiting ICMP packets to avoid DoS attacks
    • Actively monitor ICMP traffic on the network to preemptively deal with attacks

There is no single best solution for all cases, it should be examined on a case by case basis. Disabling ICMP completely is easiest, but if you need ping and traceroute for troubleshooting (as well as for other possible features) then the alternative is to mitigate any such attacks as described above.

I hope this has been helpful!