How to stop ICMP ping flood attack (DOS) on Linux


Security, Network

I really don't think ping needs any sort of introduction. ping is a network troubleshooting tool that reports whether or not a remote node is reachable. ping sends an ICMP echo request to the remote node that should then reply with an ICMP echo reply. Because ping and ICMP can be used very effectively to map out a network, many network packet filters and firewalls are configured to drop ICMP to provide tighter security.

Besides checking if a node is responding (or other simple connectivity issues), ping also can be used to troubleshoot other network-related matter. But today we plan to discuss a scenario when someone can use to overload the network of a server by sending a flood of ping request.

 

Denial-of-Service Attacks

DoS attacks are based on the idea of flooding your system with packets to disrupt or seriously degrade your Internet connection, tying up local servers to the extent that legitimate requests can’t be honored or, in the worst case, crashing your system altogether. The two most common results are keeping the system too busy to do anything useful and tying up critical system resources.

You can’t protect against DoS attacks completely. They can take as many different forms as the attacker’s imagination allows. Anything that results in a response from your system, anything that results in your system allocating resources (including logging of the attack), anything that induces a remote site to stop communicating with you—all can be used in a DoS attack.

These attacks usually involve one of several classic patterns, including TCP SYN flooding, ping flooding, UDP flooding, fragmentation bombs, buffer overflows, and ICMP routing redirect bombs.

 

What is ping flood attack? Why you should worry?

  • A ping flood is a denial-of-service attack in which the attacker attempts to overwhelm a targeted device, causing the target to become inaccessible to normal traffic.
  • The -f parameter must be used with ping command which causes Linux to send as many ICMP echo requests as possible, which can quickly cause network problems on burdened networks.
  • The parameter can be used to create a load that simulates a heavy network or to create an additional load on the target machine.
  • Flood ping-output packets as fast as they come back or 100 times per second, whichever is greater.
  • It is most successful if the attacker has more bandwidth than the victim
  • If the target system is slow enough, it is possible to consume enough of its CPU cycles for a user to notice a significant slowdown.
  • PING-based Distributed Denial of Service (DDoS) attacks are infamous as they are known to have brought down high profile web sites such as Ebay, ETrade and Yahoo. They have also been used in an attempt to bring down the entire Internet by attacking its DNS root servers.
  • This Ping Flood Attack is a Layer-3 attack in the TCP/IP suite. One of the earlier work shows that a simple Ping attack can make the target host busy in processing the ping requests consuming 100% of the CPU utilization

Here we are sending ping flood from server1 to server2:
How to stop ICMP ping flood attack (DOS) on Linux

As you can see that there is ~0% packet loss and almost 12935 packets were transmitted in 658ms.

 

Lab Environment

I have two virtual machines running with CentOS 7 and 8 Linux. The hostname of these VMs are server-1 and server-2. In all my examples I will use server-1 as my client and server-2 as my server so all the iptables or firewalld related changes must be done on the server node i.e. server-2 for us.

 

Example-1: Stop ICMP ping flood attack (IPv4) with iptables

It is always recommended to BLOCK all incoming requests to your Linux Server and only allow requests as per the ALLOW rules. But before your DROP all the incoming requests, at least allow port 22 so that you are able to connect to your server using SSH.

~]# iptables -A INPUT -p tcp  --dport 22 -j ACCEPT

Now DROP all the incoming request via INPUT chain:

~]# iptables  -P INPUT DROP

List the applied rules:

 ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

So we have to apply hash limit to ICMP type 8 which is for Echo Request.

~]# iptables  -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m hashlimit --hashlimit-name PING --hashlimit 15/sec --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-htable-expire 300000 -j ACCEPT

List the applied rules:

~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request ctstate NEW,RELATED,ESTABLISHED limit: up to 15/sec burst 5 mode srcip htable-expire 300000
...

Now attempt to send ping flood from server-1 to server-2:
How to stop ICMP ping flood attack (DOS) on Linux

So we have not completely blocked ICMP packets, instead just applied hash limit to avoid ping flood attacks which is why there is 84% packet loss instead of 100%.

 

Example-2: Stop ICMP ping flood attack (IPv6) with iptables

Similar to IPv4 we can also control ICMP Echo request by applying a hash limit for IPv6 traffic. To limit ping flood for IPv6 packets you must apply iptables rule to ICMPv6 type 128:

First of all DROP all incoming requests:

~]# ip6tables -P INPUT DROP

Now apply hash limit to ICMPv6 type 128 using the following rule:

~]# ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 128 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m hashlimit --hashlimit-name PING --hashlimit 15/sec --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-htable-expire 300000 -j ACCEPT

List this applied rules for IPv6:

~]# ip6tables -L
Chain INPUT (policy DROP)
target     prot opt     source               destination
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp echo-request ctstate NEW,RELATED,ESTABLISHED limit: up to 15/sec burst 5 mode srcip htable-expire 300000
...

Verify if ICMPv6 Echo Request is limited for ping flood for this node where we have applied the iptables rule:
How to stop ICMP ping flood attack (DOS) on Linux

Our 78% of ping6 packets were dropped so our hash limit is working as expected.

 

Example-3: Protect ping flood DOS attack using firewalld (IPv4)

In this example we will use firewalld to control the ping flood based DOS attack. There are different ways you can use firewalld, we will apply a direct rule which is sort of one-to-one mapping to iptables.

~]# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m hashlimit --hashlimit-above 15/sec --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name PING --hashlimit-htable-expire 300000 -j DROP

Activate the changes:

~]# firewall-cmd --reload

You can list the applied direct rules using:

~]# firewall-cmd --get-all-rules --direct
ipv4 filter INPUT 0 -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m hashlimit --hashlimit-above 15/sec --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name PING --hashlimit-htable-expire 300000 -j DROP

Verify if ping flood traffic is blocked by firewalld:
How to stop ICMP ping flood attack (DOS) on Linux

So 49% of the flood requests are dropped which means our rule is working as expected.

 

Example-4: Protect ping flood DOS attack using firewalld (IPv6)

Similar to IPv4 we can also limit ping flood requests using firewalld for IPv6. You may add this direct rule in your environment:

~]# firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p icmpv6 -m icmpv6 --icmpv6-type 8 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m hashlimit --hashlimit-above 15/sec --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name PING --hashlimit-htable-expire 300000 -j DROP

Activate the changes:

~]# firewall-cmd --reload

Currently I don't have an IPv6 environment with firewalld to test this rule, but if you face any issues then let me know using the comments section.

 

Conclusion

In this article we explored ICMP i.e. Internet Control Message Protocol and covered the areas related to Ping flood based DOC attacks. ICMP doesn't use ports. Instead it talks to the Ethernet card at a low level. But ICMP does have types to identify itself. Since we wanted to limit the ICMP Echo request so we have applied our iptables and firewalld rules to limit ICMP and ICMPv6 Echo request type.

 

References

PING attack – How bad is it?
What is a Ping Flood | ICMP Flood | DDoS Attack Glossary
Ping (ICMP) flood DDoS attack

Deepak Prasad

Deepak Prasad

Deepak Prasad is the founder of GoLinuxCloud, bringing over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, Networking, and Security. His extensive experience spans development, DevOps, networking, and security, ensuring robust and efficient solutions for diverse projects.

Certifications and Credentials:

  • Certified Kubernetes Application Developer (CKAD)
  • Go Developer Certification
  • Linux Foundation Certified System Administrator (LFCS)
  • Certified Ethical Hacker (CEH)
  • Python Institute PCAP (Certified Associate in Python Programming)
You can connect with him on his LinkedIn profile and join his Facebook and LinkedIn page.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

1 thought on “How to stop ICMP ping flood attack (DOS) on Linux”

  1. Is there any drawback/limitation at syncookie implementation for ipv6 ?

    Because, current I’m using Linux 4.19 & syncookie enabled as net.ipv4.tcp_syncookies=1

    Used netwox tool for simulate TCP synflood for ipv4/ipv6.

    Didn’t observe any issue for ipv4.
    But, observed cpu% for si hits spike for Tcpv6 syn flood .Also, ssh/ping is not working at that time for ipv4/ipv6 address.

    If we disable syncookie, as expected only ssh is not working while tcpv6 synflood.

    Reply

Leave a Comment