Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Ping flooder

  1. #1
    Senior Member
    Join Date
    Apr 2004
    Posts
    157

    Question Ping flooder

    We just had a security scan made in our company. The report we got says we have a vulnerability on one of our Windows 2000 servers, which would let you crash the server if you flood ping it with 10KB packets...??

    Well... we never saw our server crash when ever this company tried this. I don't think it's true, but would like to confirm this.

    Does anyone know of a program that can flood ping a server with 10KB packets?

    Anyone knows of this specific vulnerability?

    Any response would be most helpful!

    Thanks!

  2. #2
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Sure, the IP stack of the vulnerable machine can't deal with the sheer number of echo requests it is being sent.

    Almost any box can do this. But it's almost as bad for the machine attacking as it is for the machine getting attacked. Unless you've got allot more bandwidth than the machine you are attacking. Overall, however, it's not a very effective way of killing a machine.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  3. #3
    Ok, it's James's Stupid Question Time again! Noobish question -- Ping floods -- Are those affectively DOS attacks? Another word for it? My understanding is that a ping flood would give the target too much traffic to handle, as such is the nature of a DOS. Just wanted to make sure I understood/had no clue about that... If they aren't one in the same, what's the difference?

  4. #4
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    Angelic: Ping flood's is just one of the many form's/type's of DoS attack's. There are many different kind's that involve tampering with the packet's being sent, how they are, size, etc. As for above:

    I believe if you go into a command prompt and type ping -t -i 255 blah.com you would get a big packet-sized ping flood (not compared to earlier versions that you could do, however they would simply say "Request Timed Out"). Now, obviously 255 is significantly smaller than 10k, but you catch the idea. There are many different way's/form's of performing a ping flood or a TCP SYN flood, etc etc. Research the like at google.com and you can learn alot.
    Space For Rent.. =]

  5. #5
    Senior Member
    Join Date
    Jan 2003
    Posts
    274
    Spyder--
    In Windows it's ping -t -l (not i) then a number indicating the size. ie 1400.

    Sawper-- The default MTU on many, many data aggregation and distribution devices is 1500, so throwing a 10kb frame at a host might be tough.

  6. #6
    Senior Member
    Join Date
    Jul 2003
    Posts
    813
    Well the max size of a ping is 65,535 byts [64kb]. You need a good bandwidth because the 'flooder' can get serious lag, while a server [that's nicely hangin' on its T1 or better pipe] could hardly be bothered.

    I heard a while back that engineered packets that would be over the afore-mentioned size could instantly crash some machines, and one wouldn't even need to flood. Of course, a firewall would drop the packet, but if it doesn't the target is screwed. As far as I know only a Linux machine could do that [although by some theories it could be done on XP if the IPHINDRCL [I think] library is used... supposedly it gives raw socket access... never tried it though].

    Anyway it shouldn't be hard to generate 10k packets, just make sure you can tie up the bandwidth on the server.
    /\\

  7. #7
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    Spyder--
    In Windows it's ping -t -l (not i) then a number indicating the size. ie 1400.
    Yes, I know that (notice I mentioned the "old trick" you can do, however somewhat outdated). But, you can also ping -i to set TTL variables. I was just showing him how to experiment/fool around with different ping flood method's/etc on a command line. Yes, ping -l is one of them and the more commonly used one. Like MS-DOS says when viewing ping -l and what it does:

    Code:
      -l size        Send buffer size.
    It allow's you to modify and change the buffer size and number of packet's. For this, the max is 65500 I believe. For ping -i, you can set it to a max of 250 TTL packets.
    Space For Rent.. =]

  8. #8
    Senior Member
    Join Date
    Apr 2004
    Posts
    157

    Question

    Thanks for all the help.

    Yeah, I've already tried using Ping -l, but that doesn't seem to cause any harm what so ever... not on the source nor the destination...
    That's why I thought you may need some specific Ping Flooder utility that modifies the packets some how to make them more destructible...?

    I mean try it your self; PING computer -t -l 10000
    Didn't cause me any problems what so ever through the T1 line nor through the LAN (1000).

    I'm questioning this security company because they have already given me false positives about my mail server being open relay and stuff, which they couldn't confirm when I asked them how they relayed through my mail server...
    Or even better. They claim they can send a crafted IP packet with a null length for IP option #0xE4, crashing my servers... I even asked him to do that to one of my servers while I was watching... nothing at all happened to it.. !

    I've talked about this company before in here, Qaddisin, and they seem to be a big joke.
    Cost us $9000 for nothing...!

    Oh well... let me know if there is such a destructible utility that could back Qaddisin up about the ping flooding...

    Thanks!

  9. #9
    Senior Member
    Join Date
    Jun 2004
    Posts
    281
    SawPer -

    I am guessing this is corporate so you probably already have a good firewall in place. However I just thought I would let you know that Sygate Personal Firewall will catch DDOS activity. I just launched a Ping DOS attack on one of my dummy machines (this machine was running sygate firewall) and immediately it popped up saying it was receiving a ping death DOS attack. It started to block them. So your server should either say it is blocking the ping and/or it should be logged with your firewall.

    - MilitantEidolon
    Yeah thats right........I said It!

    Ultimately everyone will have their own opinion--this is mine.

  10. #10
    Senior Member
    Join Date
    Apr 2004
    Posts
    157
    MilitantEidolon,

    Sure. We do have a PIX firewall in place. I don't manage it myself so I don't know for sure what it does when it gets Ping flooded.

    But my point isn't to come up with a new solution. I want to confirm if this company is just throwing out a bunch of crap in this report, without anything really being true what so ever.. ?!
    Would be easy to just make a long report with most general vulnerabilities, but if you can't confirm a specific vulnerability on a specific server, then they are just straight up lying to us.. !

    Sorry if I don't sound appreciative to your help, its just that I want to confront this stupid company, they seem to be completely incompetent...

    But if they are right, thanks for the advise! Then we do need to make sure we are protected against it.

    Thanks!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •