ICMP is designed for error reporting and diagnostics. However, its simplicity and ubiquitous support make it a prime vector for legacy DoS attacks, covert data exfiltration, and network mapping.
A Smurf attack involves sending an ICMP Echo Request to a network's broadcast address with a spoofed source IP. Every active host on the subnet replies to the victim, multiplying the traffic volume.
💡 Pro-tip: Modern routers disable 'directed broadcasts' by default, effectively neutralizing the Smurf attack vector at the infrastructure level.
# Checking if directed broadcasts are enabled on Linux
sysctl net.ipv4.icmp_echo_ignore_broadcastsA value of '1' means the OS will ignore pings sent to broadcast addresses, protecting it from being used as an amplifier.
Because many firewalls allow outbound ICMP Echo Replies, attackers can encapsulate stolen data inside the payload of ping packets. This bypasses proxy servers that only inspect TCP/UDP traffic.
⚠️ Never allow unrestricted ICMP payload sizes at the perimeter. Restricting ICMP to specific types (Type 0, 3, 8, 11) and limiting payload size prevents covert channels.
| Attack | Mechanism | Target |
|---|---|---|
| Ping of Death | Oversized fragments | Legacy OS Stack |
| Smurf | Broadcast amplification | Victim IP |
| Tunneling | Payload encapsulation | Firewall Egress |
Verify exercises to earn ★ 140 XP and unlock next lab level.