# ICMP Flood Attack

Identifying ICMP (Internet Control Message Protocol) flood attacks is a critical aspect of maintaining network security and stability. ICMP flood, commonly known as a Ping flood, is a type of Denial-of-Service (DoS) attack where the attacker overwhelms the target with ICMP echo-request (ping) packets. This can saturate the network's bandwidth and disrupt the normal functioning of the target system, leading to slowdowns or complete unavailability of services. ICMP floods can be particularly disruptive as they exploit essential network diagnostic tools, making detection and mitigation challenging. Quick identification of these attacks is crucial for minimizing their impact, preserving network resources, and ensuring continuous service availability.

ElastiFlow provides a collection of anomaly detection jobs designed to identify ICMP flood attacks, including several targeted strategies for monitoring network traffic and recognizing signs of an ICMP flood.

## Attributes

| Attribute                       | Information                                                                       |
| ------------------------------- | --------------------------------------------------------------------------------- |
| **Analysis Type**               | population                                                                        |
| **MITRE ATT\&CK Technique**     | [Network Denial of Service (T1498)](https://attack.mitre.org/techniques/T1498)    |
| **MITRE ATT\&CK Sub-Technique** | [Direct Network Flood (T1498.001)](https://attack.mitre.org/techniques/T1498/001) |
| **MITRE ATT\&CK Tactic**        | [Impact (TA0040)](https://attack.mitre.org/tactics/TA0040)                        |

## Downloads

| Schema    | Vector          | Perspective  | Link                                                                                                                                                                                  |
| --------- | --------------- | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **CODEX** | **direct**      | **edge**     | [elastiflow\_codex\_netsec\_icmp\_flood\_direct\_edge](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/codex/netsec_ddos/netsec_icmp_flood_direct_edge.json) |
| **CODEX** | **direct**      | **inbound**  | [elastiflow\_codex\_netsec\_icmp\_flood\_direct\_in](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/codex/netsec_ddos/netsec_icmp_flood_direct_in.json)     |
| **CODEX** | **direct**      | **outbound** | [elastiflow\_codex\_netsec\_icmp\_flood\_direct\_out](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/codex/netsec_ddos/netsec_icmp_flood_direct_out.json)   |
| **CODEX** | **direct**      | **private**  | [elastiflow\_codex\_netsec\_icmp\_flood\_direct\_priv](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/codex/netsec_ddos/netsec_icmp_flood_direct_priv.json) |
| **CODEX** | **distributed** | **edge**     | [elastiflow\_codex\_netsec\_icmp\_flood\_ddos\_edge](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/codex/netsec_ddos/netsec_icmp_flood_ddos_edge.json)     |
| **CODEX** | **distributed** | **inbound**  | [elastiflow\_codex\_netsec\_icmp\_flood\_ddos\_in](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/codex/netsec_ddos/netsec_icmp_flood_ddos_in.json)         |
| **CODEX** | **distributed** | **outbound** | [elastiflow\_codex\_netsec\_icmp\_flood\_ddos\_out](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/codex/netsec_ddos/netsec_icmp_flood_ddos_out.json)       |
| **CODEX** | **distributed** | **private**  | [elastiflow\_codex\_netsec\_icmp\_flood\_ddos\_priv](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/codex/netsec_ddos/netsec_icmp_flood_ddos_priv.json)     |
| **ECS**   | **direct**      | **edge**     | [elastiflow\_ecs\_netsec\_icmp\_flood\_direct\_edge](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/ecs/netsec_ddos/netsec_icmp_flood_direct_edge.json)     |
| **ECS**   | **direct**      | **inbound**  | [elastiflow\_ecs\_netsec\_icmp\_flood\_direct\_in](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/ecs/netsec_ddos/netsec_icmp_flood_direct_in.json)         |
| **ECS**   | **direct**      | **outbound** | [elastiflow\_ecs\_netsec\_icmp\_flood\_direct\_out](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/ecs/netsec_ddos/netsec_icmp_flood_direct_out.json)       |
| **ECS**   | **direct**      | **private**  | [elastiflow\_ecs\_netsec\_icmp\_flood\_direct\_priv](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/ecs/netsec_ddos/netsec_icmp_flood_direct_priv.json)     |
| **ECS**   | **distributed** | **edge**     | [elastiflow\_ecs\_netsec\_icmp\_flood\_ddos\_edge](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/ecs/netsec_ddos/netsec_icmp_flood_ddos_edge.json)         |
| **ECS**   | **distributed** | **inbound**  | [elastiflow\_ecs\_netsec\_icmp\_flood\_ddos\_in](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/ecs/netsec_ddos/netsec_icmp_flood_ddos_in.json)             |
| **ECS**   | **distributed** | **outbound** | [elastiflow\_ecs\_netsec\_icmp\_flood\_ddos\_out](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/ecs/netsec_ddos/netsec_icmp_flood_ddos_out.json)           |
| **ECS**   | **distributed** | **private**  | [elastiflow\_ecs\_netsec\_icmp\_flood\_ddos\_priv](https://github.com/elastiflow/elastiflow_for_elasticsearch/raw/master/ml/ecs/netsec_ddos/netsec_icmp_flood_ddos_priv.json)         |

By deploying this suite of anomaly detection jobs, network administrators can quickly detect the onset of ICMP flood attacks, enabling them to take timely actions such as filtering ICMP traffic, reconfiguring firewalls, or engaging with their ISP for mitigation. Prompt detection and response to ICMP flood attacks are key to maintaining the resilience and reliability of network infrastructures in the face of such disruptive cyber threats.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.elastiflow.com/data_platforms/elastic/ml/netsec/netsec_ddos/icmp_flood.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.