⚠️ Overview

PATHspider is an open-source network measurement tool originally developed by researchers at the University of Cambridge and the University of Waikato for analyzing IPv6 path MTU discovery (PMTUD) behavior across the Internet. Although designed for legitimate network diagnostics, its ability to send specially crafted ICMPv6 packets and probe router behavior makes it a favored weapon for reconnaissance and denial-of-service preparation by malicious actors. The tool is publicly available on GitHub under the MIT license and has been cited in academic papers on IPv6 security but lacks built-in authorization controls, allowing easy weaponization.

🔧 Technical Capabilities

PATHspider operates by sending a series of probe packets with varying sizes and the DF (Don't Fragment) flag set, then monitors ICMPv6 "Packet Too Big" (PTB) responses to determine the path MTU. It can scan entire networks rapidly, testing multiple destination hosts for PMTUD failures. The tool supports IPv4 and IPv6, though it is primarily used for IPv6 attacks. Malicious deployment involves using PATHspider to identify networks that incorrectly respond to oversized packets, enabling bypass of firewalls or triggering fragmentation-based DoS conditions. It also records network topology data, such as hop counts and router addresses, which can aid further targeting. Because it uses raw sockets and ICMP, it can evade simple packet inspection and scale to thousands of probes per second.

📜 History & Notable Incidents

First released in 2016, PATHspider was presented at the ACM Internet Measurement Conference (IMC) and has been continuously updated with IPv6 compliance improvements. In 2022, security researchers demonstrated that a modified version of PATHspider could be used to perform "PMTUD reflection" attacks, amplifying ICMPv6 traffic against a victim by exploiting misconfigured routers. No specific CVE is tied to PATHspider itself, but it has been implicated in network fingerprinting campaigns against critical infrastructure. The tool's user base includes both academic researchers and black-hat actors who repurpose its measurement engine for malicious scanning.

🔍 Detection Indicators

PATHspider does not use a standard User-Agent string; its traffic is characterized by a high volume of IPv6 ICMPv6 type 2 (Packet Too Big) messages originating from a single IP within a short timeframe. Behavioral fingerprints include probes that set the DF flag to 1 and carry payloads with padding to exceed the local MTU. Network monitoring tools can flag bursts of ICMPv6 packets with unique lengths (e.g., 1280, 1500 bytes) and identical DSCP markings. Additionally, PATHspider leaves log entries when it receives PTB responses, often resulting in repeated error messages on target routers.

☠️ Risk & Impact

When used maliciously, PATHspider can map network segmentation policies, discover firewall rules that fail to block oversized packets, and identify targets vulnerable to fragmentation-based DoS attacks. It can also harvest router IP addresses for subsequent DDoS amplification campaigns. Exposure of misconfigured PMTUD implementations may allow attackers to disrupt connectivity or bypass security controls, leading to data exfiltration or lateral movement within a network.

🛡️ Mitigation

PATHspider is blocked immediately upon detection because its active probing indicates deliberate reconnaissance and violates acceptable use policies. Network defenders should deploy ICMPv6 rate limiting, filter out suspicious PMTUD probes, and block source IPs that exhibit the characteristic packet patterns. Since the tool has no legitimate use in production environments, any appearance justifies an automated blacklisting response.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the bots listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.