Ping flood attack: How it works and how you can defend against it
Ping requests are small packets of data used by devices to test connectivity, but when sent in large numbers, they can flood the network with traffic and slow or even shut down the network. This is called a ping flood attack (or ICMP flood). Learn everything you need to know about a ping flood – what it is, and can you avoid it.
Table of Contents
Table of Contents
What is a ping flood attack?
A ping flood attack, also known as an Internet Control Message Protocol (ICMP) flood or ICMP flood attack, is a type of distributed denial-of-service (DDoS) attack that uses the ICMP to flood targeted machines with traffic.
Is there a difference between a ping flood and a DDoS attack? Yes. Ping flooding is usually categorized as a subset of DDoS attacks, while DDoS attacks aren’t always ping floods:
- A general DDoS attack bombards a device with network traffic and makes it inaccessible to others. The attacked device simply doesn’t have enough resources to handle all the traffic, so it slows or shuts them down – which is what attackers want.
- A ping flood attack uses a specific protocol, namely the Internet Control Message Protocol, to bombard a device with ICMP requests. When sent in large numbers, ICMP requests can overload the machine.
The ICMP protocol and ping flood attacks
Ping flood attacks use the Internet Control Message Protocol (ICMP). ICMP is used to determine whether communication between devices is running smoothly and to diagnose potential network errors.
Some of the most commonly used ICMP functions are ping and traceroute. They help users with network diagnostics:
- The traceroute command (tracert on Windows) sends traceroute requests that test network speeds and display the routes data packets take from location A to location B.
- The ping command is a simplified version of the traceroute function. When used, the device sends an ICMP echo request. If it reaches the target server, it will respond by sending back an ICMP echo reply. The time between sending the request and receiving the response will also be measured.
Ping requests don’t show traffic routes, but they are useful when checking whether a device connects to a specific server and how long data packets take to reach it.
You can test pinging an IP address yourself. Open a terminal, type “ping [target IP address],” and press Enter. For example, “ping 8.8.8.8” will send a ping request to Google’s DNS server and inform you about the connection speed and quality.
ICMP echo request and ping flooding
We’ve established that ping requests are used to test connection speeds and diagnose problems, and they work thanks to the ICMP protocol. However, they can also be abused, which is where the ICMP flood attacks come into the picture.
Every time an ICMP echo request is sent, the target network device has to use a small amount of its resources and bandwidth to process it and send back an ICMP echo reply. It’s easy to imagine that if the target computer received many such requests, they could overwhelm it completely. And that’s precisely how ICMP flooding works.
Hackers perpetrating such attacks use networks consisting of many devices. Sometimes, they own these devices, but more often, they infect random devices with malware, making them part of their botnet. In this way, attackers can multiply the number of sent ICMP echo request packets by hundreds.
Ping flood attack techniques
Although all ping flood attacks, by definition, use the ICMP, several types of attacks can be distinguished based on the methods used by the hackers. Here are the most important ones.
Smurf attacks
A smurf attack is an ICMP flood attack that uses the victim’s spoofed IP address to send ping request packets to the IP broadcast address of a router or firewall, a part of a large network.
The targeted router then sends requests to multiple devices that are a part of the network. Because the attacker used a spoofed IP address, these hosts send their ICMP echo reply messages to the victim, flooding it with attack traffic.
Ping of death attacks
The IPv4 protocol has a limitation of a maximum packet size of 65,535 bytes. So, a hacker cannot send larger ICMP echo requests. They can, however, send large data packets in fragments. The target device then reassembles these packets, and since most of the networks cannot handle large data packets, they get overloaded and crash.
So, what is the ping of death command? It’s an obsolete ping flood attack that involved hackers writing simple ping flood command loops designed to send ICMP echo requests again and again. These requests were within the size limit but exceeded it once reassembled, causing the target device to malfunction.
SYN flood attacks
SYN floods aren’t ping flood attacks because they don’t use ICMP, but they’re worth knowing about.
A SYN flood attack uses a process known as a TCP handshake to establish a connection between two devices. Under normal circumstances, the device sends a SYN packet and waits for a SYN/ACK response, which tells it that the request has been acknowledged. Then, it sends an ACK packet, and the connection is established.
In a SYN flood attack, the attacker sends numerous SYN packets, usually via a botnet, causing the victim to respond to each one and leave the port open, waiting for an ACK packet that never arrives. SYN packets continue to flood the victim, and since it uses its resources to acknowledge and respond to them, legitimate traffic gets blocked out, and the server cannot function normally.
Defending against ping flood attacks
A ping flood DDoS attack can cause a lot of damage by making the targeted device unresponsive to regular traffic. It can have many consequences, from loss of reputation to financial losses. That’s why defense against all kinds of DDoS attacks is crucial.
Here are some strategies used by cybersecurity experts to protect networks from flooding:
- Limiting traffic rates. It’s a way to prevent the server from being flooded with traffic from single sources by setting a maximum threshold of ICMP requests processed in a certain amount of time. Requests that exceed the limit are deprioritized or blocked.
- Blocking ICMP functionality. Some network administrators block all ICMP functions, which prevents illegitimate ping requests from flooding servers. However, it also stops administrators from using the ping utility to diagnose server issues.
- Using third-party software. Some vendors offer services that help to mitigate DDoS attacks. They can, for example, filter out bogus traffic.
Network monitoring and traffic analysis
Any defense against DDoS attacks and floods is most effective when deployed quickly. That’s why network monitoring is crucial and allows for a rapid response against threats.
Network traffic monitoring involves gathering and analyzing traffic data to identify anomalies, such as abnormal traffic spikes or unusual data sources and destinations. You can use network monitoring tools to track almost every metric on your network. Proper traffic analysis helps determine the type of threat, its severity, and the best possible response.
To monitor and protect the network, administrators can use tools and techniques such as:
- Firewalls, which are an absolute necessity in any network. They can be hardware- or software-based and help filter malicious traffic, including ping floods or unwanted SYN packets.
- Network sniffers are programs and devices designed to collect and analyze network traffic. They can help identify the sources, types, and volumes of attacks.
- ML-based software. Despite being a relatively new technology, machine learning can help combat various cyber threats, including DDoS and other flooding attacks. Machine learning algorithms analyze traffic data and learn patterns to detect threats.
Does a VPN help prevent ping flood attacks?
While a VPN service cannot replace firewalls or the other mentioned tools, it can be helpful against some attacks, including floods. For example, in a smurf attack, the attacker uses a spoofed IP address to flood your device with bogus traffic. But if you use a VPN, it masks your IP, and the attacker is less likely to discover and abuse it.