ICMP and DDoS Attacks: A Medical Center Case Study

 

“Cybersecurity is not just about technology, It’s about the people who use it. It’s important to create a culture of security where everyone understands the risks and takes responsibility for protecting themselves and their organization.” - Stephania Mango

 

Working in cybersecurity at St. Gabriel’s Medical Center, I’ve seen firsthand how critical network reliability is in supporting healthcare operations. One recent incident underscored this importance. When medical center staff were unable to access the records server, our team faced an urgent issue: core medical operations were suddenly disrupted, affecting everything from patient records to timely diagnostics.

As a Network Engineer, I was responsible for investigating the issue, diagnosing the problem, and implementing an immediate solution to restore the center's functionality. What began as a routine network check quickly escalated when I realized I couldn’t remotely access the server.

Diagnosing the Network Issue

The records server at St. Gabriel’s Medical Center is the backbone of our digital infrastructure, supporting staff, physicians, and patient interactions with sensitive, real-time data. Any interruption in access could not only delay essential care but also pose a serious threat to patients’ health and privacy. Realizing the potential impact, I launched a preliminary Wireshark packet capture to analyze network traffic patterns. It was then that I noticed unusual spikes in traffic, suggesting a possible Distributed Denial of Service (DDoS) attack.



https://lh6.googleusercontent.com/DS0gIb-BFr_rOpW2gClOdSNxedpTQtAZlJH8gndIAFCday_qm15TvVVov7xUie60JuPV-n0ZTJxN5vJO-BzLr2_OPubwjT-b8OBqy2s07HMvqrcNhVJLiv8HjrgNOwuDGYfBCoT_WYZJILqK4dwGOA

Figure 1.0:  Client-Server Schema at St.Gabriel's Medical Center

Background: ICMP and DDoS

ICMP:

Internet Control Message Protocol, an integral part of the Internet Protocol Suite (TCP/IP) and operating at the Network Layer (Layer 3) of the OSI model provides a mechanism for network devices (e.g., routers and hosts) to communicate with each other for diagnosing network connectivity issues. Devices can transmit control messages and error reports using the ICMP. Moreover, ICMP is made to manage a wide range of situations, including controlling network congestion, reporting problems, and debugging network connectivity. A header and a data portion are both present in ICMP frame. Message type, code, checksum, and identifier/sequence number are a few of the fields found in the header while data portion may contain text or binary information. 

 

ICMP Type

Function

ICMP Type 8

Useful for network diagnostics, including measuring the round-trip time (RTT)

ICMP  Type 3

Indication that a destination host cannot be reached

ICMP Type 11

Routers send this message to let other devices know that an IP packet's Time-to-Live (TTL) value has run out

ICMP Type 5

Informs a host about a different, more effective route

 

DDoS:

A DDoS (Distributed Denial of Service) attack is a type of cyber attack that seeks to overload a target system, network with an influx of unauthorised traffic from multiple sources, impairing its functionality or preventing access for authorised users. 

In a DDoS attack, the intention of the attacker is to overwhelm the target (i.e. record server) with many requests that its resources, such as bandwidth, processing power, or memory, are completely exhausted. The target system may experience a slowdown, become unresponsive, or even crash because of this overload.  (figure 1.1)



A picture containing screenshot, diagram, text, design

Description automatically generated

                                               Figure 1.1

Normal ICMP Behaviour:

Below are some common types of normal ICMP messages when network is reachable:

https://lh5.googleusercontent.com/SzAwEX3l-yI03l96FyAm6X_jhiOrRKlGQJvdsCl_F8RYeet2mCjPsjVNFQtPIFeH8K24GvXtK6XB-zADH4z-jThmz950sEOi6nVsJxMewBs0wnDgkQLLwhskqtVHEnSFz7miIsxzw2TEQzwMCM3Qtw

                                               Figure 2.1: Normal ICMP messages in Wireshark

 

Herein, total 8 messages are displayed, 4 query and reply pairs- an Echo (ping) reply for every Echo (Ping) Request. Therefore, it ensures that the connectivity between the server and the user is reliable where the server replies back within a given time frame.

 

Observations of the captured wire shark file of medical center server (Abnormal Behaviour):

Using Wireshark, I reviewed ICMP traffic from the records server. Normally, ICMP traffic includes an echo request and response pattern, as shown in Figure 2.1. However, our analysis revealed an abnormally high volume of ICMP echo requests directed at the server’s IP (200.200.1.77), coming from multiple IP addresses and with unusually brief intervals between requests. The server wasn’t responding to these echoes, further indicating an overload and potential DDoS attack, as seen in Figure 3.1.

                                                    Figure 3.1: DDoS detection by Wireshark


Explanation of the capture file: Attack determination:

The data clearly pointed to a DDoS attack aimed at overwhelming our server with ICMP traffic, effectively blocking legitimate users and severely compromising availability—a key cybersecurity goal. This situation, defined as an “Active Attack,” involved deliberate attempts to disrupt server functionality, unlike passive attacks where data is merely observed without interference.

 

Analysis of the Potential Vulnerabilities: The potential underlying causes that may have facilitated the DDoS attack (based on the figure 3.1) would be the social and technical vulnerabilities in the network architecture of the St. Gabriel medical center that would include Network vulnerability, Server vulnerability, Social - cultural vulnerability of  staff as described below.


1.      Social Vulnerabilities

·       Inadequate security procedures: Users frequently disregard fundamental security procedures such as using weak passwords, failing to update software or firmware, or failing to put the required security safeguards in place on their devices. These flaws make equipment vulnerable to compromise and botnet inclusion.

·       IoT and Bots: The increase in the number of insecure IoT (Internet of Things) devices coupled with rise in automated bots to send echoes has led to DDoS attacks.


2.      Technical Vulnerabilities

·       Software flaws that can be exploited:  Network infrastructure with unpatched flaws can be used by attackers to overwhelm targets and create a DDoS attacks.

·       Insufficient network capacity and traffic management: A DDoS attack's enormous amount of malicious traffic can overload targeted networks or systems that are under-resourced or lack effective traffic filtering techniques.

·       Lack of traffic anomaly detection: It is difficult to recognise and mitigate irregular traffic patterns linked to DDoS attacks without efficient monitoring and detection tools.


In conclusion, these vulnerabilities may have been the subject of threats by hostile actors looking

to damage the service or reputation of the medical center. De-capacitating the server

would entail emboldening attackers and paving the way for future espionage attacks in

collaboration with DDoS, creating havoc in emergency Medicare service, threatening the

lives of vulnerable masses, sabotaging the trust people place in doctors and violating

humanity’s values.


Recommended Solutions:

Business Continuity and Disaster Recovery Plan :

A disaster recovery plan for a DDoS assault as shown in figure 4.1 should include the following essential components:

1. Detection strategy: Monitoring tools to quickly identify DDoS attacks.

2. Response and Mitigation strategy: Establish a response strategy that details what to do in the case of a DDoS assault, for e.g. how to alert IT employees, get in touch with impacted users and activate DDoS Protection Services.

3. Recovery and Corrective Strategy: Start the process of returning to normal operations once the assault has been contained. 

5. Prevention and Evaluation strategy: Conduct a post-incident review to find areas that may be improved and updated upon from time to time.

                                                        Figure :4.1  Disaster Recovery Plan

 

What is DDoS Protection Services?

DDoS Protection Services involves an amalgamation of Detection Prevention and Curative Strategies implemented across the 7 layers of OSI model that addresses the social and physical vulnerabilities of the server

 

Detection strategy:

Detective strategy is used to investigate about the cause of the incident by analyzing packet behaviour through the application of sniffer tools, activity log records, etc. as explained below:

·       Signature-based detection: By looking for recognisable patterns or signatures in the network the method compares network traffic to a database of recognised DDoS attack signatures. If a match is found, the technique can intervene to stop the attack from happening by blocking traffic coming from the attack's source.

Strengths: The approach can be used to determine the sort of DDoS attack being utilised, which can aid in choosing the best defences. 

Weakness of Detection: As signature-based detection may only identify established attack patterns, it may not be effective against fresh emerging threats that masquerade a recognizable pattern. 

Attacks that are sophisticated can utilise advanced ways to avoid being caught by this detection measures, for instance, patterns may use encryption or look like legal traffic.

·       Traffic rate-based detection: This tactic entails monitoring the flow of incoming traffic and looking out for any abrupt increases that might be a sign of a DDoS assault.

Weakness: Source of attacker can’t be known just by examining the traffic variations.

·       Protocol-based detection: This method examines the protocol being used in network traffic to find any suspicious activity that might point to a DDoS attack. It works by inspecting the headers of network packets to determine whether they are a part of a DDoS attack or a genuine communication. 

Strengths: The method can also be used to locate the attack's origin, which is helpful in pursuing legal action against the offender.

Challenges with Detection Strategy: to keep up with the emerging advanced nature of DDoS attacks, the cost of maintaining detection methods in place and keeping them upgraded can be expensive, especially for small businesses with limited funding.

 

Recovery and Corrective Strategies: After detecting the attack type, source, timing and causes of DDoS information, IT administrator should resort to next stage of disaster management i.e. corrective strategies as explained below:

  • Diverting traffic entails sending incoming traffic to a DDoS Protection Provider that uses the cloud to filter out dangerous data.
  • Filtering traffic entails identifying and blocking harmful traffic while allowing genuine traffic to get through using network filtering techniques. Some common filtering techniques that could be used are:

IP filtering, geo location filtering, protocol filtering, traffic rate filtering, behavioral filtering.

  • Rate-limiting: This can assist prevent the network from becoming overloaded by restricting the number of requests or connections from a single IP address or subnet. Most common techniques used for rate limiting are as follows:

o   bandwidth rate limiting that limits amount of bandwidth available for traffic to a server.   

o   Connecting rate limiting: that limits the number of connections that can be established with the server. This is achieved using firewalls, routers.

o   Request rate limiting: that limits the number of requests that can be put to a server. Its done through firewalls.   

o   Session rate limiting: that limits the number of sessions that can be established to a server. This is achieved through load balancers.

  • Scaling up resources: To manage the increased traffic load, scaling up resources entails increasing bandwidth, processing power, or other resources. This can be achieved by following techniques:

o   Load balancers: create multiple servers for distributing traffic.

o   Cloud based solutions: such as CDNs Content Delivery Networks can be used to distribute traffic into remote cloud database and thus scale up server resources.

o   Mirroring: create copies of critical hospital resources and distribute it among various servers.

  • Blackholing: This method effectively shuts down the website until the attack is over by blocking all traffic to the targeted IP address or range.

Challenges with Corrective Strategies:

  • Blackholing might take a toll on center’s operations and essential services indefinitely as one does not know till when the DDoS attack may last.
  • Mirroring, Load balancing, traffic diversion techniques are costly adding burden to infrastructure costs of the medical center.
  • The corrective strategy is dependent upon how long it takes to detect the problem in previous stage. Detection Latency means the delay in implementing the corrective measures due to delays in detection of the problem. Greg Tomsho, (2019).

Preventive Strategy:

After corrective strategy stage, we discuss the preventive strategy that should be implemented to prevent such an attack happening in future.

  • Use Performance Monitor Software to monitor if the amount of available memory, processing power of server is available in stock to support the operations. It triggers an automatic pre-emptive mail to I.T administrator whenever an resources availability falls below a limit.
  • Server application hardening can make a server more durable and less vulnerable to compromise by lowering the attack surface of a server and minimising the possibility for vulnerabilities.
  • Network segmentation is a security technique that involves dividing a network into smaller sub-networks, or segments, to reduce the impact of security breach. It can help mitigate the impact of a DDoS attack by limiting the spread of the attack and isolating affected systems. 
  • Web Content Filtering: is a security strategy that involves restricting access to web content by preventing traffic from known malicious sources such as well-known botnets that are frequently utilised in DDoS assaults. 
  • Access Control: is a security approach that restricts access to resources based on user identity using identity authentication. The number of people that have access to vital resources, such as servers and databases, can be restricted by putting access restrictions in place.
  • Threat Intelligence based on adversary tradecraft

Threat Intelligence based on adversary tradecraft can certainly help prevent DDoS attacks by providing insights into the tactics, techniques, and procedures (TTPs) of potential attackers. 


Final Thoughts

Working on the frontlines of cybersecurity in a healthcare setting has shown me that protecting a hospital’s digital infrastructure isn’t just about defending systems but about safeguarding the lives and trust of our community. Reflecting on this incident, it’s clear that a robust cybersecurity strategy & policy with robust documentation is need of the hour to ensure uninterrupted medical operations. By refining our response protocols and implementing preventive measures, we aim to safeguard our network infrastructure against possible future threats.



References

  1. Belding, G. (2020, January 8). Incident response ICMP protocol with Wireshark. Infosec Resources. https://resources.infosecinstitute.com/topic/icmp-protocol-with-wireshark/

  2. OneLogin (n.d.). What is a DDoS Attack? https://www.onelogin.com/learn/ddos-attack

  3. Cloudflare. (n.d.). Ping (ICMP) flood DDoS attack. https://www.cloudflare.com/learning/ddos/ping-icmp-flood-ddos-attack/

  4. Greg Tomsho Guide to Networking Essentials, 8th Edition, Chapter 14-Troubleshooting and Support, Approaches to Network Troubleshooting pg.738

 

Comments

Popular posts from this blog

A BIRD'S EYE VIEW OF CYBER SECURITY IN INDIA