What is an IP flood

The ping flood is a Form of denial-of-service attack. The attack thus causes a “service denial”. Conceptually, you can think of the attack as a prank phone call: a malicious attacker keeps calling and immediately hangs up. The line is blocked and is no longer available. Legitimate calls can no longer be answered.

In the case of the known flood attacks such as ping flood, HTTP flood, SYN flood and UDP flood, a Target system flooded with nonsensical requestsuntil it collapses under the load. The ping flood is not to be confused with the so-called ping of death, which crashes the target system without overloading it.

What is a ping flood?

The ping flood is a cyber attackthat can be directed against various systems connected to the Internet. The attacked systems can be servers as well as routers or home computers of private individuals.

Technically, the ping flood is based on the Internet Control Message Protocol (ICMP). The protocol and the associated ping command are actually used to carry out network tests. A ping flood caused the Flooding of a target computer with ICMP “Echo Request” packets. If the attacker has more bandwidth than the victim, the victim is flushed from the network.

How the ping flood works is explained

The underlying functionality of the ping flood is simple:

  1. The The attacker sends "Echo Request" packets in flood mode to the victim's machine.
  2. The machine of the Victim replies with "Echo Reply" packets.

Every incoming “echo request” packet consumes bandwidth on the victim's side. Since an "Echo Reply" packet is sent back for each incoming packet, the data volume of the outgoing network traffic is equally high. If the attacker has enough bandwidth, this leads to Utilization of all available network capacities on the victim's side. Legitimate network traffic stall or completely succumb.

Depending on whether the attack comes from a single computer or from a network of computers, the ping flood is a DoS or DDoS attack.

Ping flood attack as Denial of Service (DoS)

In this simplest variant of the attack, the attacker sends (A) ofa single machine the "Echo Request" packets to the victim (O). In order not to reveal their own identity, the attacker spoofs his IP address. A computer (U) that can be reached by chance at this IP address is bombarded with the resulting "Echo Reply" packets. This backscatter effect is also known as "backscatter". In some variants of the ping flood, such as the so-called smurf attack, backscatter is used as the actual weapon.

In order to direct a ping flood against a victim, an attacker uses the ping command or a modern alternative such as the hping tool. The attack begins on the command line. The ping flood is triggered by means of a command specially designed for the attack. For security reasons, we can only show an approximate sample of the hping code here:

Let's look at the options:

  • The option --icmp instructs the tool to use ICMP as the protocol.
  • That is important --flood-Option. According to the documentation of the hping command, on the one hand this means that packets are sent as quickly as possible. On the other hand, the option has the effect that the incoming “Echo Reply” packets of the victim are discarded without being noticed. Instead of sending a ping, as is the case with normal use of the ping command, and then waiting for the answer to come, it is "fired" as quickly as possible.
  • The option --rand-source spooft the IP address of the sender. Instead of the real sender address, a random IP address is entered.

Ping-flood attack as Distributed Denial of Service (DDoS)

In order to trigger a "distributed" ping flood, the attacker (A) uses a botnet (B). The bots under the control of the attacker each start a ping flood against the victim (O) on command. Since several computers are now shooting at the same target, there is one much higher bandwidth on the attacker's side to disposal. Only a well-protected target will withstand such an attack.

Since the attacker does not send the “echo request” packets from his own computer in this scenario, there is no reason to disguise your own IP address. Instead, the bots fire at their own address. The backscatter falls back on the botnet's zombie computers.

Defense measures to protect against ping flood attacks

There are basically three ways to protect against ping flood attacks:

Configuration of the system to be protected for greater security

Probably the simplest method to protect against ping flood attacks is to use the Disable ICMP functionality on the victim's device. This measure offers immediate help during an attack, but can also be used preventively in order to minimize the attack surface.

Furthermore, the router and firewall can be configured so that more detailed malicious network traffic detected and filtered becomes. The use of techniques for load balancing (in German "load distribution") and rate limiting ("throughput limitation") also helps protect against DoS attacks.

Use of a cloud-based service for DDoS mitigation

Large providers such as Cloudflare have servers in globally distributed data centers. If you run your own website, you can route your traffic through these data centers. Thereby one stands much higher bandwidth ready to buffer DDoS attacks. Furthermore, the data traffic is filtered by integrated systems such as firewall, load balancer and rate limiter.

Use of special hardware in front of the system to be protected

The option of protecting your own system with special hardware is only of interest to large players. These devices offer or combine the functionality of firewall, load balancer and rate limiter and filter or block malicious network traffic.

Similar articles

Social engineering: human vulnerability

The most effective system break-ins often occur without malicious code. Instead of maltreating central network devices with DDoS attacks or sneaking through the back door with a Trojan, hackers are increasingly using the human security loophole. Various methods, which are summarized under the heading of social engineering, make targeted use of human characteristics such as ...

Man-in-the-middle attack: attack patterns and countermeasures

A man-in-the-middle attack is a perfidious espionage attack, the aim of which is to intercept, write down or manipulate sensitive data of unsuspecting internet users. To do this, hackers use methods that make it possible to place oneself unnoticed between two communicating computers. We introduce you to known attack patterns and show ...

ARP spoofing - vulnerability in network security

When it comes to network security, administrators focus primarily on attacks from the Internet. But the danger often lurks in the internal network. If the LAN proves to be a blind spot in security IT, internal perpetrators have an easy time of it. A popular attack pattern is so-called ARP spoofing. Attackers switch unnoticed between two communication partners in order to ...

Denial of service - what happens in a DoS attack?

Denial-of-service attacks - also known as DoS attacks - are a relatively simple and effective method for cybercriminals to paralyze a website, e-mail traffic or an entire network. In addition to companies of all sizes, institutions such as the German Bundestag or Wikipedia were also victims of these attacks. The question arises: what exactly is denial of service - and what happens ...


Pathping documents and analyzes the path of data packets and creates helpful statistics on the performance of networks. Losses of data packets are also recorded by the diagnostic tool. After the data collection via pathping, the network can then be optimized in a targeted manner. We introduce the powerful CMD command and its options.