Exercise 5: Simulating a Ping Flood (ICMP DoS Attack)

Objective

Understand the impact of a ping flood attack (ICMP DoS) and explore defense strategies to mitigate it.

Scenario

You are part of the security team for a company that suspects its web servers could be vulnerable to Denial of Service (DoS) attacks. One common method used by attackers is the Ping Flood (ICMP Flood) attack, which overwhelms a system with ICMP Echo Requests, exhausting resources and making services unavailable. In this exercise, you will simulate a ping flood attack in a controlled environment, observe its effects, and implement mitigation strategies.

⚠️ Important: Perform this exercise only in a legal and controlled lab environment. Conducting unauthorized DoS attacks is illegal and unethical.

Lab Instructions

Step 1: Set Up the Lab Environment

• Use two Linux machines in the same network:
  • Attacker Machine: Linux system with hping3 installed.
  • Target Server: Linux server to simulate the victim.

Step 2: Install hping3

• On the Attacker Machine, install hping3: sudo apt update sudo apt install hping3 -y

sudo apt update 
sudo apt install hping3 -y

Step 3: Launch a Ping Flood Attack

Start the attack from the Attacker Machine:

sudo hping3 -1 --flood -V <Target_Server_IP>

• -1: ICMP mode (Ping).
• --flood: Send packets as fast as possible.
• -V: Verbose output.
• Replace <Target_Server_IP> with the IP address of the target server.

Step 4: Monitor Server Performance

On the Target Server, monitor CPU and memory usage: top

top

• Observe CPU spikes and memory usage.

View incoming ICMP packets:

sudo watch -n 1 "netstat -s | grep 'icmp messages received'"

Step 5: Mitigate the Attack with iptables

Apply rate-limiting rules on the Target Server to mitigate the attack:

sudo iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

• The first rule allows only 1 ping per second.
• The second rule drops excessive pings.

Step 6: Verify Mitigation Effectiveness

Re-run the ping flood attack:

sudo hping3 -1 --flood -V <Target_Server_IP>

• Monitor the server again with top and netstat.
  • CPU and memory usage should remain stable.
  • ICMP packet rate should be controlled.

Step 7: View iptables Logs (Optional)

Check logs to confirm blocked pings:

sudo dmesg | grep ICMP

Solution & Explanation

How a Ping Flood Works

• The attacker overwhelms the target server with ICMP Echo Requests.
• The server attempts to respond to each request, consuming bandwidth and processing power.

Impact on Server Performance

• Without Mitigation: CPU usage spikes, memory consumption increases, and the server may become unresponsive.
• With Mitigation: The rate-limiting rules prevent resource exhaustion, maintaining server stability.

Mitigation Explanation

• Rate-Limiting (iptables): Limits ICMP requests, reducing the impact of a flood attack.
• Dropping Excessive Requests: Prevents unnecessary processing by dropping extra packets.

Testing & Verification

• Confirm that server performance remains stable after applying rate-limiting rules.
• Verify that excessive ICMP packets are dropped using logs.
• Ensure that legitimate traffic is still allowed.

Additional Script (Optional)

Automate the mitigation setup with this script:

#!/bin/bash
# Apply ICMP rate-limiting rules
sudo iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

# Verify rules
sudo iptables -L -v

Run the script:

chmod +x icmp_mitigation.sh
sudo ./icmp_mitigation.sh

Conclusion

In this exercise, you simulated a Ping Flood (ICMP DoS) attack and observed its impact on server performance. You applied rate-limiting rules using iptables to mitigate the attack, ensuring server stability. Understanding how to defend against DoS attacks is crucial for maintaining the availability and security of network services.