This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
This report is about ping flood, a denial of service attack. Specifically this is going to talk about what ping flooding is, what it does to a network and how to stop it. It will touch upon some of the types of ping flooding and how they work and how to defend against most of them. It will try to explain why people do these attacks on the servers and computers.
Ping flooding is one of the oldest but deadliest denial of service attacks used in today's society. It is mainly used to fill a network with useless network traffic, which, given enough time, can effectively take down a network for an extended period of time. In today's time it is not too common to see ping flooding for a few reasons. One if the attack is successful, the attacker's computer is locked during the attack because it has to constantly make and send useless packets. Another reason is a growing number of network administrators are starting to not allow echo request from the network and has started using Intrusion Detection Systems (IDS) and its ability to constantly monitor any changes at the ISP level. It also needs a lot of bandwidth to be successful.
However, just because it is not common like it was earlier does not mean that these types of attacks will not happen. They still can take down large businesses for a good while. This is normally why attackers' can't flood any major network using ping unless there are multiple computers attacking a single server, though in those case it is known as a Distributed Denial of Service attack, known as DDoS. Those types of attacks will be discussed later in the report.
Fig 1: Ping Flooding at work
How Ping Flooding Works
To get a better understanding on how ping flooding works, one must understand how the ICMP works. The Internet Control Message Protocol (ICMP) is where ping is based on and it is basically a small piece of information that is sent between networks. Its function is to check the end-to-end connection in the networks. The host sends an ICMP packet, and waits for an ICMP packet from the other host. They do this and that is how connections between networks form and people will be able to send and receive data from each other. This is how computers using internet connections communicate with the servers
Fig 2: Basic diagram of Ping
Ping flooding works by flooding the server with massive amounts of junk ping, therefore overloading the server, causing it to shut down due to the high stress this generates. This can cause loss revenue due to down time. As stated earlier, it is uncommon these days due to the high amount of bandwidth the servers can take, especially ones for business. However it is still feasible today because of how information is send through the next work.
How Flooding work now
How IPv4 works in today's network is that packet send to an IP address containing all 1s in the host part of the address is destined to be processed by every host in the network. It means that one can send a request packet to a network's broadcast address and have everyone in the network reply to it. When spoofing the attacker uses a valid address of the victim, and has all hosts on the network that receive the broadcasted echo request reply to it.
Fig 2: Spoofed Packets going out.
By using this method, the computers on the network will spoof that junk packet to the victim, assuming that the attacker or attackers know the IP address of the victim.
Fig 2.5: Junk Ping attacking User
Types of Ping Flooding
There are a few types of ping flood anyone can do. The ones in the report will talk about three types: targeted local disclosed ping flood, router disclosed ping flood, blind ping flood, SYN flood and DDoS. DDoS attacks are more complicated to do, requiring multiple resources to do those, but are devastating to the network it attacks.
Targeted Local Disclosed Ping Flood
Targeted local disclosed ping flood attack is when the attacker knows the exact IP address they want to spoof directly on the network. This is usually done to attack a single computer. It is extremely easy to do and it can be done on a basic windows machine. All you need to do is start the command prompt and type ipconfig to get the IPv4 address. Note that this requires you to have access to the computer you wish to attack, therefore, getting permission to do so. Using a packet sniffing program is also viable so you can find a random IP address to test out the idea. Not recommended because of legal reasons.
Fig 3: ipconfig results
Make a note of the address then on the machine you wish to attack from go to the command prompt and type in the following text: ping "ip address here" -t -l *insert number* where IP address here is where you put the IP address of the target and *insert number* is the amount of bytes you wish to send. The results should look like this:
Fig 3.1: All the pinging.
The attacked computer is using precious power to process the ping that was send from the attacking computer, slowing it down immensely. To put it bluntly, the "-t" specifies how long to ping the host. In this case it will keep pinging that host until the host disconnects or until you stop it. The "-l" specifies how big the ping do you want to send. In the example it is sending a 65k byte ping. So basically it will keep running until the attacker stops or the victim disconnects. Using one computer to attack another is as basic as it gets. Usually they do not bother with attacking one computer.
Router Disclosed Ping Flood.
A router disclosed ping flood is the same thing as about, except you are attacking the router of the victim rather than the computer itself. When a router is flooded with useless IPs, the entire network that router is used is being stopped. One example, let's say that there are twenty computers that are connected to a router. That router, sooner or later, is getting attacked by someone flooding the network, the twenty computer connected to that router is cut-off from the network.
Getting the router IP address is the same way as getting the individual IP address of the computer except the default gateway is what you need.
Fig 3.2: Default Gateway Obtain
Repeat the same process as earlier and you will distrupt not only the router but the other computers on that router. The routers will take most of the damaged and will crash eventually, causing a hard reset of the routers. Now there twenty angry computer users wondering why they cannot get to the servers and the attacker is laughing to himself.
Blind Ping Flood
A blind ping flood is any kind is when the attacker does not know the IP Address of his target, so he uses technique to uncover them through external programs. There are many programs to get the IP address of the target. One such program is called Wireshark. It can basically be used to monitor traffic on a network, potentially getting IPs from anyone that is using the network and ruin their day.
A SYN flood is a form of DoS attack in which the attacker uses a quick succession of SYN, short for synchronized, requests messages in an attempt to use resources and prevent servers from responding. The attacker is exploiting the three-way handshake. The three-way handshake is this: the client sends the SYN to the server. The server, if it receives the SYN request, sends the SYN-ACK to the client. Lastly, the client sends the ACK, connection is made and you can access the server. The SYN flood prevents that process from happening by not replying with the ACK for spoofing a fake IP address, causing the server to send the SYN-ACK to the fake IP. The server waits on that because it might be simple network backup of traffic and will stay this way until the connection times out. If enough attackers did that, it can strain the server until it cannot make new connections because it is waiting for the fake IP addresses to respond, blocking off traffic from real IP addresses.
Distributed Denial of Service Attack
This is by far the most deadly of all denial of service attacks, since an easy fix is hard to come by. Installing the latest hardware and software is very ineffective against DDoS attacks and network administrators, most of the time, will need help to deal with these types of attacks. Distributed denial of service is ping flooding on a much larger scale, using computers whose owners are usually not be aware of the fact that they are attacking a website or network. The reason being is that the hackers that perform DDoS attacks on the victims infect the unsuspecting users with Trojans or viruses that run in the background without their notice. Those computers are called zombies. When the attackers are ready, they send a signal that tells the infected computers to flood the targets' network. The victim has to deal with thousands of junk IP addresses from many different sources, unsure which one attacking the network. The figure below perfectly shows a DDoS attack at work.
Fig 3.5: DDoS Attacks
In many cases, the target affect will most certainly fall offline almost instantly and it will continue to be bombarded by junk packets, keeping the server offline until the attackers stop. There are some ways to protect one from DDoS attacks but they are known to be largely ineffective, many because the attacks are coming from different sources across multiple areas in the world.
Protection from Ping Floods, SYN Floods and DDoS Attacks
As with all attacks, one can defend themselves. For ping floods, they are simple to prevent. One way is to reconfigure the perimeter router or firewall to prevent ICMP echo request ping on your internal network. This configuration will prevent flood attacks that come from outside the network, but it will not prevent internal flood attacks. Another way is to ban the IP address from accessing the network. One last way is to enter the command "No ip verify unicast reverse-path" in the command prompt. This will prevent the fake IP from sending infinite ping requests to your computer.
SYN floods can be stopped by reducing the time it takes before the server times out and the client has to send a new SYN request. Doing so will make the server will drop connections faster, thus not spend resources to wait on the fake IP to send the ACK request and can work on another SYN request from a legitimate client. Filtering out the fake IPs is also a viable solution to SYN flooding.
DDoS attacks, however, are very tough to overcome. The first thing to do is to contact your hosting provider or internet service provider, depending on what is under attack. They will usually be able to filter out the bulk of the traffic based on where it's coming from. For even larger attacks you have to get creative in solving that. Usually DDoS attacks are handled in either buying an IDS or having an external group to repair access the damage. The worst case situation is waiting until whatever is attacking the network has decided to stop. There is not much else one can do against the DDoS attack.
In short, the information in this report is to help better understand the importance of safeguarding the network and how to defend the network from ping floods, which is a denial of service attack (DoS) and DDoS from outside threats. The document went through how ping flood works and why people do these attacks. The document talks about the different types of ping flooding and other DoS attacks (including DDoS attacks) and how effective they are at attacking the computer, routers, and servers of the network. Defending the network from these are very important because without any counter measures, the network can be brought offline, causing loss time and revenue.References
"For Hackers and Crackers AlikeâÂ€Â¦Something for Every Computer Fan." Ghost Grid. N.p., n.d. Web. 18 Mar. 2013.
"Information Leak." Information Leak. N.p., n.d. Web. 18 Mar. 2013. <http://www.informationleak.net/index.php?p=tutorials>.
"Ping (flood a Site) with CMD (Command Prompt)." YouTube. YouTube, 08 June 2011. Web. 18 Mar. 2013. <http://www.youtube.com/watch?v=eY5sJvnSZX0>.
"Ping Flooding." Ping Flooding. N.p., n.d. Web. 18 Mar. 2013. <http://tomicki.net/ping.flooding.php>.
"Types of Denial of Service (DoS) Attack." DoS Attack (DDOS,Ping Flood,Smurf,Fraggle,SYN Flood,Teardrop). N.p., n.d. Web. 18 Mar. 2013.
Black Lotus. Advertisement. Â« DDoS Protection for Any Server or Network. N.p., n.d. Web. 16 Apr. 2013. <http://www.blacklotus.net/learn/about-ddos-attacks>.