Big Bad Botnets · Chapter 4 139 ICMP Attacks ICMP flooding is an attempt to overwhelm a system with ICMP packets.These are usually either error messages of some sort, or ping Echo Request or Echo Response packets, but in a flood attack they're usually Echo Requests, often sent with "ping ­f " so that fragmented packets aren't sent. Again, the intention is to keep the system so busy that it has no more resources to expend on valid traffic. A Ping Flood is a simple attack, but can still be effective where the victim system has less bandwidth than the attacker. If the victim system is set to respond with Echo Reply packets, the effect of the attack is amplified by the fact that outgoing bandwidth is also depleted. To mitigate the impact of a Ping Flood, Echo Request packets can be refused all the time, or refused if a volume threshold is exceeded. Either way, bandwidth wastage is reduced and the attacker gets less feedback on the effectiveness of the attack, but legitimate use of ICMP is impacted. Filtering only large Echo Request packets may be a useful compromise measure. Figure 4.8 The Smurf Amplifier Registry