Let's start with TCP IP internet layer ICMP flood. In this lecture, I will be talking about actually two varieties of the same attack. The first one is going to be as mentioned ICMP flood, which is a DoS attack, and the second one is going to be Smurf attack, which is nothing but a distributed version of ICMP flood. Simply plot is a Pink Floyd, which creates a denial of service where the attacker overwhelms the victim with ICMP echo requests. Let me just show you in the following slide here. I'm not going to go through all of them since this is actually a purity those course but in case you don't know them, I highly recommend to you to go back and review your knowledge.

So as the definition says, this attack exploits the request type, which is type eight actually, by sending requests from the client to the host excessively as I depict you one after many times. In other words, as the client sends all those requests, the host tries to reply to all of them back, which overwhelms the server and therefore, it becomes unavailable for delivering it serves. Long story short, it's a wall based attack, which exploits to ICMP type bait, which is the request type, and why it's called the DoS attack rather than a DDoS attack? Well, it's simple, because in this scenario, there's only one attacker, one attacker is trying to take down the host, that is the server. And the reason why only one attacker as a client can achieve that is simply because in such a case, attackers bandwidth is much bigger than the host bandwidth, since the attacker sends the ICMP requests without even expecting in the responses.

And this thanks to the bigger bandwidth can overwhelm the host and therefore make it on their way. And now the question is, can you do it in a DDoS fashion? And the answer is yes, you can and this is actually called the Smurf attack. This scenario, attacker by the help of a controller under his control sends this ICMP requests to multiple servers or multiple routers, and spokes his own IP. And if those routers are not configured properly to protect themselves against IP spoofing, they will answer for those ICMP requests by sending the request to the victim or back to the attacker. It means just by using his own bandwidth here, an attacker because of misconfigured routers, or misconfigured servers can exploit ICMP protocol and therefore can amplify his attack bandwidth towards the victim.

Here, though zombies are not necessarily under the full control of the attacker, in other words, they can be just misconfigured and non compromised regular servers or routers. Therefore being a zombie doesn't mean that you know they are compromised and they are under the control of attacker in the scenario It is enough that the attacker can only exploit the MIS configuration. So one takeaway is this attack doesn't mean that these machines or these routers are compromised. No, it's just the exploitation of mis configuration. After finding out about these two attack types, let's actually find out how to mitigate them as part of mitigation against ICMP bloat. The most obvious one is to configure individual hosts or routers not to respond to ICMP requests or broadcasts.

This is actually a fundamental rule. And in fact, most of our modern routers are set like that by default. So in most cases, you won't have to do any manual work in order to protect yourself against ICMP flood. However, it's still good to check in case there are some old routers which are misconfigured fact even if there are any misconfigurations most of our modern firewalls protect against ICMP flood by default. That means most of modern firewalls do not allow ICMP traffic to pass through the origin. However, in case you don't use any firewall, of course, then the first item, I'm checking the configuration, the proper configuration becomes even more important.

And when it comes to mitigation against Smurf attack, the first item is again the same, because you need to configure your routers properly in order to prevent not only attacks against your own environment, but also against turning your network components into zombies, while the attacker attacks to other networks. As you can see also in the second item, and again, most modern firewalls protect against a smurf attack by default. So in most cases, you won't have to do anything, but it's still better to check the configuration of your router. That is to say to verify that it's properly configured, and check that your firewall is set in its default settings, which in most cases should read the correct setting.