Measuring Global Risk of ICMP-based Amplification Attacks
Internet Control Message Protocol (ICMP) has largely been considered a non-threat in cybersecurity. But can it be exploited for amplification attacks?
I worked with my friends Ana and Mostafa to determine whether ICMP could be used to conduct an amplification denial-of-service (DoS) attack. ICMP-based amplification attacks are considered a solved problem in cybersecurity as they are easy to defend, but previous “easy-to-defend” exploits have led to big problems, such as the Mirai botnet. We ran an experiment to ping 500,000 randomly selected IP addresses and found 805 vulnerable servers.
This finding means that an amplification DoS attack is theoretically possible using the ICMP protocol. We did some analysis on the result, finding that the overwhelming majority of these vulnerable servers come from Class C IP addresses, corresponding to smaller networks or individual operators. We concluded that the risk is not high due to the small size of the vulnerable networks, but it is not nonexistent and may be difficult to mitigate.