Ping Flood Attack

In the early days of the internet, hackers were just as green as security professionals. Here was this new method of connecting the world, but here was this new vector of wrecking people’s lives. When the internet went public in the mid-1990s, suddenly an entirely new playground had emerged for mischievous and devious individuals. Cybercriminals graduated from phone phreaking (a way of tricking phone operators into connecting you to locations you have no business accessing) to other, far more dangerous, methods of mischief and lawbreaking.

One of the things hackers sought to do was create an attack that could disrupt the daily activities of businesses, governments, and private users. As a result, one of the earliest attacks available was a Denial-of-Service (DoS) attack. A Denial-of-Service attack, as well as its more advanced cousin the Distributed-Denial-of-Service (DDoS) attack, seeks to render a network inoperable. It accomplishes this by overloading the communication chain between device and network so that legitimate requests cannot get through. Though the attacks have existed for literally decades, Denial-of-Service and Distributed-Denial-of-Service attacks continue in the 2020s to be a massive threat.

Some of the most prominent DoS and DDoS attacks involve ping queries. Incidentally, attacks using ping have been around a long time. Nevertheless, they still remain a danger to many unaware individuals. A fairly innocuous command, ping requests set out to check the connection of an IP address. In a hacker’s hands, however, the ping request can turn malicious. There are a few different ways that ping can be leveraged against a victim, but the most common today is a ping flood attack.

Despite its relative simplicity, one should not underestimate the power of a ping flood attack. It can disrupt your network, causing you to lose time and money. Even worse, the most novice of cybercriminals can pull it off. For this reason, it is vital to understand the ping flood in depth. This goes for blue teams, private users, or even corporate executives in charge of cybersecurity policy.

By the time you finish reading this brief overview, you will be able to not only recognize a ping flood attack but properly defend against it.

What is a Ping Flood Attack?

A ping flood is a rather simple attack to understand. The basic idea is to take ping packets, otherwise known as Internet Control Message Protocol (ICMP) “echo” requests, and “flood” a target until it is no longer functional. The flood function is ordinarily used to check for dropped packets, as every echo request sent also gets a response from the server. When used maliciously, the server cannot send responses to the ICMP echo requests fast enough. Eventually, a Denial-of-Service occurs due to this. It should be noted that ping flood attacks can also happen on multiple machines, thus making it a Distributed-Denial-of-Service attack. These days, ping flood attacks typically are found in the form of DDoS attacks, as botnets are more readily available than they were in the past.

Ping Flood vs. Ping of Death?

When discussing the ping flood, there can be some confusion by some due to another (somewhat) similar attack. The “ping of death” attack is relatively phased out nowadays, but because it causes a Denial-of-Service, it can be confused with the ping flood. The ping of death sends crafted malicious packets to a target. These are usually attacks that are exploiting a known unpatched vulnerability. The early years of the TCP/IP protocol allowed for a lot of these attacks, however, entering the 21st century caused the ping of death to be rendered fairly obsolete. Though there are notable exceptions, this is not pertinent to this report.

These days, if you hear about a ping attack causing a DoS or a DDoS attack, you are hearing most likely about a ping flood. Now that we’ve cleared that up, let’s move on to understand the ping flood more, and most importantly, how to defend against it.

How does a Ping Flood Work?

  • An attacker finds the static IP address of their desired target.
  • They decide on a method of attack. This can take the form of either one machine attacking (if they are inexperienced), or more likely these days, creating a botnet and configuring it for an attack.
  • The attack is carried out with a set of command-line configurations. The -n command sets how many times the ICMP echo request is sent. The -l command controls the amount of data sent in each ping. Finally the -t command determines the length of time a ping occurs before being timed out.
  • The host begins receiving the ICMP echo requests and responds to them accordingly.
  • Eventually the victim machine cannot handle the ping flood attack and gets knocked offline.

How is a Ping Flood Attack Mitigated?

There are certain ways that ping flood DoS and DDoS attacks can be defended against. One way is configuring your firewall to block pinging. This will not prevent an internal ping attack, but it will take care of any outside threats utilizing this specific attack. An issue with implementing this mitigation method is that you will not be able to test your server for connection issues.