WP What is a Ping Flood | ICMP Flood DDoS Attack | Imperva

Ping flood (ICMP flood)

224.9k views
DDoS

What is a Ping Flood?

A ping flood, also known as an ICMP flood, is a type of distributed denial-of-service (DDoS) attack in which an attacker overwhelms the targeted device or network with continuous request packets (pings). This can cause network congestion and prevent legitimate users from accessing network resources.

How a Ping Flood Works

In a ping flood attack, the perpetrator uses multiple compromised systems to send a huge volume of ICMP echo requests to the target. These echo request packets are sent to the broadcast IP address 255.255.255.255, which allows them to be delivered to all connected devices.

The target system tries to respond to each ICMP echo request with an echo reply packet. However, with thousands or even millions of echo requests coming in per second, the target is unable to handle the traffic volume. The incoming ping flood occupies all of the target’s inbound bandwidth, preventing legitimate users from accessing the system.

Ping of Death Attack

A variation on the ping flood is the Ping of Death attack. In this type of assault, the attacker sends malformed or oversized ICMP packets that exceed the maximum IPv4 packet size of 65,535 bytes. This crashes or freezes the target system as it struggles to process the oversized packets.

While most modern operating systems are no longer vulnerable to Ping of-Death attacks, a large ping flood using normal-sized packets can still be used to achieve denial-of-service.

Technical Example of a Ping Flood

A ping flood can be initiated using a simple ping command from the command line. For example:

ping -t <target IP> -l 65500

This will send a continuous stream of ping packets to the target IP address, with a packet size of 65,500 bytes (the maximum allowed by IPv4). Executing this command from multiple attacking devices could overwhelm the target network with hundreds of thousands of large ICMP packets per second.

Ping Flood vs. Smurf Attack

A smurf attack is a distributed denial-of-service technique related to a ping flood. The key difference is that smurf attacks leverage spoofing of the source IP address.

In a smurf attack, the perpetrator sends a large amount of ICMP traffic to the broadcast address of the target network but spoofs the source IP address to be the victim’s address. When all the hosts on the network receive and respond to the ICMP echo request, it multiplies the amount of traffic flooding the victim.

With a ping flood, the source of the attack traffic is more visible. But a smurf attack hides the true origin, enabling an amplification effect through broadcast messaging.

Ping Flood vs. SYN Flood

Ping floods are sometimes confused with SYN floods, another common DDoS technique. While both overwhelm the target with bogus traffic, there are some key differences:

  • Protocol used – Ping floods use ICMP echo requests, while SYN floods leverage TCP SYN packets.
  • Connection establishment – Ping floods do not open any TCP connections, while SYN floods attempt to open many connections that are never completed.
  • Impact – Ping floods consume more inbound bandwidth, while SYN floods put more demand on server resources because of the need to track half-open connections.
  • Detection – Ping floods are easier to identify based on the volume of ICMP traffic. SYN floods can be harder to distinguish from legitimate connection requests.

In summary, ping floods are heavier on bandwidth consumption, while SYN floods require more server processing overhead. But both can effectively deny service to legitimate users.

Effects of a Ping Flood

Some of the major effects on a system undergoing a ping flood include:

Network Saturation

The huge volume of ICMP echo requests saturates the target’s inbound bandwidth, making it impossible for legitimate users to access network resources. Web servers, email servers, and other public-facing systems become unreachable.

System Resource Exhaustion

The flood of ICMP packets consumes a large percentage of router, firewall, and server CPU cycles. This CPU overload causes widespread performance issues or even crashes systems entirely. Available memory can also be consumed while attempting to process the attack traffic.

Service Disruption

Any services hosted on the flooded device or network segment become unavailable due to the network saturation. Websites time out, cloud-based services are blocked, and applications that rely on the network stop working properly.

Reputation Damage (for email servers)

For email servers, a ping flood can cause inbound emails to bounce and be returned as undeliverable. This results in the server’s IP address being added to real-time blackhole lists (RBLs). Other email servers will reject messages from IP addresses on blackhole lists, causing further delivery disruptions after the attack.

Financial Loss

Taken together, the inability to process transactions, loss of productivity, and damage to reputation represent significant financial costs stemming from a successful ping flood attack. Costs grow exponentially with attack volume and duration.

Ping Flood Defense Strategies

Defending against ping floods involves using a layered approach with the following components:

Traffic Rate Limiting

Rate limiting sets a maximum threshold on the number of ICMP echo requests that can be processed per second. Requests exceeding the threshold are dropped or deprioritized. This prevents any single source from overwhelming the target.

Infrastructure Capacity Planning

Proactively increasing bandwidth, server resources, and network capabilities can help absorb a certain volume of ICMP traffic without service disruption. However, this may completely negate the effects of a very high-volume attack.

ICMP Protocol Blocking

Blocking ICMP altogether at the network perimeter prevents any ICMP requests from reaching vulnerable servers. However, this can also prevent legitimate troubleshooting with the ping utility. ICMP blocking should be applied selectively rather than network-wide.

Blackhole Filtering

Routers and firewalls can identify known DDoS botnets through IP blackhole lists and immediately discard traffic originating from them. This reduces attack volume but is less effective against changing botnet IP addresses.

DDoS Mitigation Service

A cloud-based scrubbing service can filter out attack traffic and only pass through legitimate user connections. This specialized service shifts attack impact away from the target’s infrastructure.

Strategic Protection Against Ping Floods

Organizations seeking robust protection will need to develop a strategy that incorporates multiple layers:

  • Maintain patching, gear redundancy, and capacity headroom to tolerate moderate flood volumes.
  • Implement intelligent rate limiting, protocol blocking, and filtering to minimize attack impact.
  • Validate DDoS defense readiness through annual stress testing.
  • Pursue targeted infrastructure upgrades to handle projected traffic growth.
  • Establish a DDoS emergency response plan, including contracting a cloud-based scrubbing service.
  • Train IT teams on DDoS monitoring, mitigation techniques, and emergency procedures.
  • Develop relationships with ISPs to quickly block attack traffic upstream during a DDoS event.

With adequate resources, vigilance, and partnerships, organizations can mitigate the majority of ping flood risks and prevent successful denial of service.

Conclusion

Ping floods represent a serious threat to organizations as one of the most common and disruptive DDoS attack vectors. By overwhelming the target’s network and systems with a tsunami of ICMP echo requests, perpetrators can cut off user access and cause extensive damage within minutes.

Defending against ping floods requires a multi-layer strategy combining intelligent traffic filtering, increased capacity, DDoS mitigation services, and emergency response planning. With protocols and solutions improving each year, organizations have many tools to safeguard infrastructure against even high-volume ICMP floods.

See how Imperva DDoS Protection can help you with ping flood attacks.

How Imperva Stops Denial-of-Service Attacks

Imperva secures websites, networks, DNS servers and individual IPs against the largest and most sophisticated types of DDoS attacks – including network, protocol and application level attacks – with minimal business disruption. The cloud-based service keeps online businesses up and running at high performance levels even under attack, avoiding financial losses and serious reputation damage. It does this by proxying incoming traffic to block DDoS attacks from reaching your origin servers.

Learn more about Imperva DDoS Protection here.