Networking 2570x454 Ping Flooding
Flooding DoS attacks don’t try to necessarily crash a service or resource, but
instead try to overload it so it can’t respond. Similar attacks can tie up other
resources, such as CPU cycles and system processes, but a flooding attack
specifically tries to tie up a network resource.
The simplest form of flooding is just a ping flood. The goal is to use up
the victim’s bandwidth so that legitimate traffic can’t get through. The attacker
sends many large ping packets to the victim, which eat away at the bandwidth
of the victim’s network connection.
There’s nothing really clever about this attack—it’s just a battle of band-
width. An attacker with greater bandwidth than a victim can send more data
than the victim can receive and therefore deny other legitimate traffic from
getting to the victim.
0x455 Amplification Attacks
There are actually some clever ways to perform a ping flood without using
massive amounts of bandwidth. An amplification attack uses spoofing and
broadcast addressing to amplify a single stream of packets by a hundred-fold.
First, a target amplification system must be found. This is a network that
allows communication to the broadcast address and has a relatively high
number of active hosts. Then the attacker sends large ICMP echo request
packets to the broadcast address of the amplification network, with a spoofed
source address of the victim’s system. The amplifier will broadcast these packets
to all the hosts on the amplification network, which will then send correspond-
ing ICMP echo reply packets to the spoofed source address (i.e., to the victim’s
machine).
This amplification of traffic allows the attacker to send a relatively small
stream of ICMP echo request packets out, while the victim gets swamped with
up to a couple hundred times as many ICMP echo reply packets. This attack
can be done with both ICMP packets and UDP echo packets. These techniques
are known as smurf and fraggle attacks, respectively.
AttackerVictimAmplification networkA B C D E
F G H I J
Spoofed packet from
victim’s address sent to the
broadcast address of the
amplification networkAll hosts respond
to the spoofed
source address