In the first two parts of the series, we covered TOS floods and SYN floods. We’ve looked at what they are, what damage they can cause, and how to mitigate their effects. In this third part, we’ll take a closer look at Ping flood attacks, how they are different and what you can do if you’re hit.
What is a Ping Flood?
In a Ping flood, also known as ICMP flood, the attacker overwhelms its victims with ICMP echo requests, which are commonly known as pings. When the network is sent request packets, it automatically responds with an equal amount of reply packets.
With tens or hundreds of thousands of these requests, it is not hard to imagine the strain which can be placed on both incoming and outgoing traffic, and the bandwidth which can be taken up trying to keep up with a limitless amount of ‘pings’.
There are three kinds of Ping floods to be aware of:
- Targeted Local Disclosed Ping Flood: A single computer on a local network is targeted. In this case, the attacker is using your own specific IP address.
- Router Disclosed Ping Flood: The attacker targets routers, which plays havoc with all the computers on a single network. The attacker needs the internal IP of the local router for this, but if successful-all computers on the network would be affected.
- Blind Ping Flood: An external program is used to uncover IP addresses, or the attack uses random source IP addresses.
How Dangerous Can Ping Floods Be?
While the damage of Ping flooding used to be limited by the attackers own bandwidth and the small volume of data which could be sent, in recent times blended attacks as well as the malicious power of botnets has brought the danger back into the public eye.
The UN International Telecommunication Union agrees, stating that “the degree of interconnectivity of networks implies that anything and everything can be exposed.”
Black Nurse is arguably the most famous Ping attack of this decade. While the volume of the DDoS traffic was not large, only between 15-18mbps, it was the steady barrage of attack packets which did the damage, by repeatedly crashing the devices in question. As Black Nurse was an attack against TDC, a telecommunications solution in Denmark, the frustration, slow response times, crashes and delays were felt by their customers and clients.
Perhaps most worrying, because of the small size of the attacks, Ping floods are far less easy to detect than other larger DDoS attacks.
What’s the Solution?
Some solutions might involve blocking all ping requests from outside your own network, by reconfiguring your firewall. While this will stop external attacks, it does nothing against attacks where the threat is established internally. Additionally, as ping requests are also used to troubleshoot server issues, a blanket block on them can have unwanted consequences on your network.
Live usage monitoring and traffic control can automatically detect and manage ping requests, including dynamic custom filtering rules, which limits the amount which can be accepted at any time.
DDoS protection should inspect every inbound and outbound packet, detecting and filtering malicious traffic, long before it has a chance to load network infrastructure or affect customer experience. This means the solution should react in real-time within seconds.