I really don't think ping needs any sort of introduction. ping is a network troubleshooting tool that reports whether or not a remote node is reachable. ping sends an ICMP echo request to the remote node that should then reply with an ICMP echo reply. Because ping and ICMP can be used very effectively to map out a network, many network packet filters and firewalls are configured to drop ICMP to provide tighter security.
Besides checking if a node is responding (or other simple connectivity issues), ping also can be used to troubleshoot other network-related matter. But today we plan to discuss a scenario when someone can use to overload the network of a server by sending a flood of ping request.
Denial-of-Service Attacks
DoS attacks are based on the idea of flooding your system with packets to disrupt or seriously degrade your Internet connection, tying up local servers to the extent that legitimate requests can’t be honored or, in the worst case, crashing your system altogether. The two most common results are keeping the system too busy to do anything useful and tying up critical system resources.
You can’t protect against DoS attacks completely. They can take as many different forms as the attacker’s imagination allows. Anything that results in a response from your system, anything that results in your system allocating resources (including logging of the attack), anything that induces a remote site to stop communicating with you—all can be used in a DoS attack.
These attacks usually involve one of several classic patterns, including TCP SYN flooding, ping flooding, UDP flooding, fragmentation bombs, buffer overflows, and ICMP routing redirect bombs.
What is ping flood attack? Why you should worry?
- A ping flood is a denial-of-service attack in which the attacker attempts to overwhelm a targeted device, causing the target to become inaccessible to normal traffic.
- The
-f
parameter must be used withping
command which causes Linux to send as many ICMP echo requests as possible, which can quickly cause network problems on burdened networks. - The parameter can be used to create a load that simulates a heavy network or to create an additional load on the target machine.
- Flood ping-output packets as fast as they come back or 100 times per second, whichever is greater.
- It is most successful if the attacker has more bandwidth than the victim
- If the target system is slow enough, it is possible to consume enough of its CPU cycles for a user to notice a significant slowdown.
- PING-based Distributed Denial of Service (DDoS) attacks are infamous as they are known to have brought down high profile web sites such as Ebay, ETrade and Yahoo. They have also been used in an attempt to bring down the entire Internet by attacking its DNS root servers.
- This Ping Flood Attack is a Layer-3 attack in the TCP/IP suite. One of the earlier work shows that a simple Ping attack can make the target host busy in processing the ping requests consuming 100% of the CPU utilization
Here we are sending ping flood from server1
to server2
:
As you can see that there is ~0% packet loss and almost 12935 packets were transmitted in 658ms.
Lab Environment
I have two virtual machines running with CentOS 7 and 8 Linux. The hostname of these VMs are server-1
and server-2
. In all my examples I will use server-1
as my client and server-2
as my server so all the iptables or firewalld related changes must be done on the server node i.e. server-2
for us.
Example-1: Stop ICMP ping flood attack (IPv4) with iptables
It is always recommended to BLOCK all incoming requests to your Linux Server and only allow requests as per the ALLOW rules. But before your DROP all the incoming requests, at least allow port 22 so that you are able to connect to your server using SSH.
~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Now DROP all the incoming request via INPUT chain:
~]# iptables -P INPUT DROP
List the applied rules:
~]# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
So we have to apply hash limit to ICMP type 8 which is for Echo Request.
~]# iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m hashlimit --hashlimit-name PING --hashlimit 15/sec --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-htable-expire 300000 -j ACCEPT
List the applied rules:
~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere icmp echo-request ctstate NEW,RELATED,ESTABLISHED limit: up to 15/sec burst 5 mode srcip htable-expire 300000
...
Now attempt to send ping flood from server-1
to server-2
:
So we have not completely blocked ICMP packets, instead just applied hash limit to avoid ping flood attacks which is why there is 84% packet loss instead of 100%.
Example-2: Stop ICMP ping flood attack (IPv6) with iptables
Similar to IPv4 we can also control ICMP Echo request by applying a hash limit for IPv6 traffic. To limit ping flood for IPv6 packets you must apply iptables rule to ICMPv6 type 128:
~]# ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
First of all DROP all incoming requests:
~]# ip6tables -P INPUT DROP
Now apply hash limit to ICMPv6 type 128 using the following rule:
~]# ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 128 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m hashlimit --hashlimit-name PING --hashlimit 15/sec --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-htable-expire 300000 -j ACCEPT
List this applied rules for IPv6:
~]# ip6tables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-request ctstate NEW,RELATED,ESTABLISHED limit: up to 15/sec burst 5 mode srcip htable-expire 300000 ...
Verify if ICMPv6 Echo Request is limited for ping flood for this node where we have applied the iptables rule:
Our 78% of ping6 packets were dropped so our hash limit is working as expected.
Example-3: Protect ping flood DOS attack using firewalld (IPv4)
In this example we will use firewalld to control the ping flood based DOS attack. There are different ways you can use firewalld, we will apply a direct rule which is sort of one-to-one mapping to iptables.
~]# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m hashlimit --hashlimit-above 15/sec --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name PING --hashlimit-htable-expire 300000 -j DROP
~]# firewall-cmd --zone=public --set-target=DROP --permanent ~]# firewall-cmd --reload
Activate the changes:
~]# firewall-cmd --reload
You can list the applied direct rules using:
~]# firewall-cmd --get-all-rules --direct ipv4 filter INPUT 0 -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m hashlimit --hashlimit-above 15/sec --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name PING --hashlimit-htable-expire 300000 -j DROP
Verify if ping flood traffic is blocked by firewalld:
So 49% of the flood requests are dropped which means our rule is working as expected.
Example-4: Protect ping flood DOS attack using firewalld (IPv6)
Similar to IPv4 we can also limit ping flood requests using firewalld for IPv6. You may add this direct rule in your environment:
~]# firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p icmpv6 -m icmpv6 --icmpv6-type 8 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m hashlimit --hashlimit-above 15/sec --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name PING --hashlimit-htable-expire 300000 -j DROP
Activate the changes:
~]# firewall-cmd --reload
Currently I don't have an IPv6 environment with firewalld to test this rule, but if you face any issues then let me know using the comments section.
Conclusion
In this article we explored ICMP i.e. Internet Control Message Protocol and covered the areas related to Ping flood based DOC attacks. ICMP doesn't use ports. Instead it talks to the Ethernet card at a low level. But ICMP does have types to identify itself. Since we wanted to limit the ICMP Echo request so we have applied our iptables and firewalld rules to limit ICMP and ICMPv6 Echo request type.
References
PING attack – How bad is it?
What is a Ping Flood | ICMP Flood | DDoS Attack Glossary
Ping (ICMP) flood DDoS attack
Is there any drawback/limitation at syncookie implementation for ipv6 ?
Because, current I’m using Linux 4.19 & syncookie enabled as net.ipv4.tcp_syncookies=1
Used netwox tool for simulate TCP synflood for ipv4/ipv6.
Didn’t observe any issue for ipv4.
But, observed cpu% for si hits spike for Tcpv6 syn flood .Also, ssh/ping is not working at that time for ipv4/ipv6 address.
If we disable syncookie, as expected only ssh is not working while tcpv6 synflood.