Home > CAPEC List > CAPEC-285: ICMP Echo Request Ping (Version 2.11)  

CAPEC-285: ICMP Echo Request Ping

ICMP Echo Request Ping
Definition in a New Window Definition in a New Window
Attack Pattern ID: 285
Abstraction: Detailed
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

An adversary sends out an ICMP Type 8 Echo Request, commonly known as a 'Ping', in order to determine if a target system is responsive. If the request is not blocked by a firewall or ACL, the target host will respond with an ICMP Type 0 Echo Reply datagram. This type of exchange is usually referred to as a 'Ping' due to the Ping utility present in almost all operating systems. Ping, as commonly implemented, allows a user to test for alive hosts, measure round-trip time, and measure the percentage of packet loss. Performing this operation for a range of hosts on the network is known as a 'Ping Sweep'. While the Ping utility is useful for small-scale host discovery, it was not designed for rapid or efficient host discovery over large network blocks. Other scanning utilities have been created that make ICMP ping sweeps easier to perform. Most networks filter ingress ICMP Type 8 messages for security reasons. Various other methods of performing ping sweeps have developed as a result. It is important to recognize the key security goal of the adversary is to discover if an IP address is alive, or has a responsive host. To this end, virtually any type of ICMP message, as defined by RFC 792 is useful. An adversary can cycle through various types of ICMP messages to determine if holes exist in the firewall configuration. When ICMP ping sweeps fail to discover hosts, other protocols can be used for the same purpose, such as TCP SYN or ACK segments, UDP datagrams sent to closed ports, etc. The adversary's goal is to discover as many potential targets as possible can utilize a wide range of techniques to achieve this end. ICMP pings have the following characteristics:

  • 1. Host Discovery: Can be used to discover if a host is alive via ICMP Echo Reply Message
  • 2. Effective Against: LANs or Internal IP address ranges where firewall or ACL rules are less restrictive
  • 3. Weak Against: Firewalls properly configured to block ICMP Echo Request and Echo Replies.
  • 4. Port State: Unable to determine the status of ports on a host.
+ Target Attack Surface

Target Attack Surface Description

Targeted OSI Layers: Network Layer

Target Attack Surface Localities


Target Attack Surface Types: Host

Target Functional Services

Target Functional Service 1: None
Protocol 1: Internet Control Messaging Protocol
Protocol Header 1
Protocol RFCProtocol Field NameProtocol Field DescriptionProtocol Operation CodeProtocol Data
RFC 792
The ICMP Type Field determines the function of the ICMP query. A Type 8 message directs the target to reply to the sender of the echo request message with an echo reply message. In forming an echo reply the source and destination addresses are switched, the Type field is set to '0', any data contained in the data portion of the echo request is sent "echoed" back to the host, and the checksum is recalculated.
ICMP echo requests may contain arbitrary data as a payload. When the ICMP Type is 8 (echo request), the data received in the echo message must be returned in the echo reply message.
Related Protocol: Internet Protocol
Relationship Type
Uses Protocol
+ Attack Prerequisites
  • The ability to send an ICMP type 8 query (Echo Request) to a remote target and receive an ICMP type 0 message (ICMP Echo Reply) in response. Any firewalls or access control lists between the sender and receiver must allow ICMP Type 8 and ICMP Type 0 messages in order for a ping operation to succeed.

+ Typical Severity


+ Resources Required

Scanners or utilities that provide the ability to send custom ICMP queries.

+ Keywords
  • Ping
+ References
[R.285.1] [REF-20] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pp. 44-51. 6th Edition. McGraw Hill. 2009.
[R.285.2] [REF-23] J. Postel. "RFC792 - Internet Control Messaging Protocol". Defense Advanced Research Projects Agency (DARPA). September 1981. <http://www.faqs.org/rfcs/rfc792.html>.
[R.285.3] [REF-24] R. Braden, Ed.. "RFC1122 - Requirements for Internet Hosts - Communication Layers". October 1989. <http://www.faqs.org/rfcs/rfc1122.html>.
[R.285.4] [REF-28] Mark Wolfgang. "Host Discovery with Nmap". November 2002. <http://nmap.org/docs/discovery.pdf>.
[R.285.5] [REF-22] Gordon "Fyodor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". Section 3.5.2 Ping Scan (-SP), pg. 58. 3rd "Zero Day" Edition,. Insecure.com LLC, ISBN: 978-0-9799587-1-7. 2008.
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
CAPEC Content TeamThe MITRE Corporation2017-08-04Updated Description Summary, Resources_RequiredInternal

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2017