Network Security: ICMP Flood DoS Analysis and Remediation Report

Verified

Added on 2022/10/08

AI Summary

This report analyzes a network traffic sample from a denial-of-service (DoS) attack, specifically identifying it as an ICMP flood. The analysis details how the attack overwhelmed the network with excessive inbound traffic, causing a bandwidth shortage and ultimately, a network outage. The report explains the attack mechanism, including the use of large ICMP echo request packets, and discusses the relationship between inbound and outbound traffic. It also references CVE-2018-2671. Furthermore, the report provides a 1-page advisory for the company, outlining short-term remedies such as vulnerability scanning, penetration testing, and security updates, and long-term solutions like egress filtering and the implementation of IPtables rules to block malicious traffic. The report references several sources, including articles and research papers, to support its findings and recommendations.

1. What traffic is being observed, what kind of DoS is this, and how is it being
conducted.
After observing the network, the resources of the network were overwhelmed by
large number of incoming packets. The allocated bandwidth of the network was not
available as well. After a while, the network went offline. This kind of denial of
service is related to Internet Control Message Protocol (ICMP) Flood. Packets
containing random as well as fixed IP address were overwhelming the network.
This Inbound Traffic is conducted by sending internet control message protocol
echo request packets that are bigger than 65,507 bytes to the network amplifier. The
return address having been spoofed to the targets internet protocol address, the
reassembled fragments floods the Transfer Control Protocol/Internet Protocol stack.
2. What volume of traffic was directed at the victims of the DoS? What is the
relation between inbound and outbound traffic?
The inbound traffic was consuming the entire volume of traffic. Bandwidth. This is
because the targeted devices ability to respond to high number of requests was

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

overwhelmed. The number of devices in the botnet target was high hence the traffic
was substantial.
Inbound traffic is the information/ packets coming in to a particular network while
outbound traffic is the information/ packets going out of a network. These two traffic
go through a device called a router that has both a public and private IP address.
3. Prepare a 1-page advisory for the company explaining what the problem is,
linking to appropriate CVE entries, and suggest how they could be remediate
the issue both in the short term and what can be done to implement a more
permanent fix.
The current situation with the network is that you are facing an ICMP (Internet
Control Message Protocol) flood attack. This attack is flooding your network
causing Distributed Denial of Service due to capacity overload hence your network
infrastructure cannot cope. This attack has also lead to inaccessibility of shared
resources like main central database and printers.
The CVE entry of ICMP is as follows:
Vulnerability Details : CVE-2018-2671
CVSS Scores and Vulnerability Types
CVSS Score 4.9
Confidentiality Impact None
Integrity Impact None
Avaulability Impact Complete

Accessibility Complexity Low
Authentication Not required
Gained Access None
Vulnerability Types Distributed Denial of Service
CWE ID 284
Remedies
Short Term:
Scanning for and finding network Vulnerabilities.
Use standard practice like AVDS for discovering vulnerabilities. Before scanning for
vulnerabilities, make sure that you set the precise scope and frequency of the
network scan.
The scans should be carried out on weekly basis. If you have an existing scanning
solution, it should be easy, possible as well as affordable.
Penetration Testing.
Using AVDS is recommended since it uses behavior based testing that eliminates
false positive reports by other testing platform. Penetration testing procedures for
vulnerabilities discovery produces the highest rate of discovery accuracy, but
degrades its value. Pentesting accuracy, frequency and scope would best, done by
AVDS.
Security Update

With the fact that ICMP is one of the most common vulnerabilities, updating the
system would be best to mitigate this attack. Patches released by developers from
time to time help cub this problem.
Long Term Remedies.
Egress Filtering:
The inbound rules will protect the network from traffic outside the network that is
coming in to the network. While the outbound traffic will protect against outgoing
data packets from within the network. Inbound rules protects from disallowed
connection. Denial of service attack and malware.
IPtables rules
To block any incoming traffic from the attack system

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

Reference:
Dr. Gerald 2006 The Basic Techniques Used by High Technology Chrime Miscreants
https://www.sciencedirect.com/topics/computer-science/denial-of-service
Mazerik 2018 ICMP Attacks https://resources.infosecinstitute.com/icmp-attacks/#gref
Soltanian 2016 Theoretical and Experimental Methods for Defending Against DDOS
Attacks, https://www.sciencedirect.com/topics/computer-science/denial-of-service
Mullins 2002 Understanding a Smurf attack is the first step toward thwarting one,
https://www.techrepublic.com/article/understanding-a-smurf-attack-is-the-first-step-toward-
thwarting-one/
Beaver 2017 Inbound vs. Outbound firwall rules: Comparing the diffrences
https://searchsecurity.techtarget.com/answer/Comparing-firewalls-Differences-between-an-
inbound-outbound-firewall
Dalziel 2018 5 Major Types of DOS Attack https://www.concise-courses.com/5-major-types-of-dos-
attack/
Walrand 2000 Control of Networks
https://www.sciencedirect.com/topics/computer-science/incoming-traffic
Willhelm 2013 Local System Attacks
https://www.sciencedirect.com/topics/computer-science/incoming-traffic
Woodberg 2007 Attack Detection and Defense https://www.sciencedirect.com/topics/computer-
science/incoming-traffic
Sanders 2014 Session Data https://www.sciencedirect.com/topics/computer-science/incoming-
traffic