A Ping Flood is an evolved variant of an ICMP Flood in which attackers use PING, a variant ICMP to send highly-spoofed PING (ICMP) echo requests at a high rate and from large range of random source IPs, or as if they are the IP address of the victim. They can quickly overwhelm a target server because they try to process every individual ICMP request and respond with an equal number of reply packets, and this can lead to denial-of-service. A PING Flood is application specific. PING Floods are particularly intense forms of ICMP Floods because they test the network latency.
PING requests test the connectivity of two computers by measuring the time from when an ICMP echo request is sent to when an echo reply is received. During a DDoS attack, however, PING requests are used instead to overload a target network with data packets.
PING floods require knowledge of the IP address of the target. Attacks can be broken down into three categories, depending on what the target is and how its IP address is resolved:
(i) A targeted local disclosed ping flood – this involves the targeting of a single computer on a network to take it down. An attacker needs physical access to a computer to discover its IP address.
(ii) A router disclosed ping flood – This is reliant on an attacker knowing the internal IP address of a local router. It targets routers to disrupt communications between computers on a network, and takes down all the connected computers if successful.
(iii) A blind ping flood – An external program is required to find out the IP address of the computer or router of a target.
This requirement for the knowledge of the IP address of the target limits the capacity of a DDoS attack, particularly against a large network; as does the fact that the attacking computer must have access to greater bandwidth than the victim. A DDoS attack used with a botnet has a far higher potential for sustaining a PING Flood and overwhelming a target’s resources.
The PING requests are usually highly-spoofed and sophisticated in their appearance, making a PING attack difficult to detect by deep packet inspection or other similar techniques.