This study investigates the behaviour of flood ping, the use of which is considered by some people as a type of Denial of Service attack (DoS; [9] [8]). As one of the hack FAQs defines, DoS is simply rendering a service offered by a workstation or server unavailable to others [9]. A more dramatic description of DoS is from [8]:
``Denial of service attacks simply overwhelm a targeted computer with bits of information, much like throwing masses of soldiers against a machine gun nest until the dead bodies eventually smother the enemy.''
There are several types of DoS attacks. Those related to ping or ICMP include flood ping [8], ping flood [13], and ping of death [16]. Here we first look at how ping flood and ping of death work and I will describe the operation of flood ping in Section 3.2.1.
Ping flood uses a program called ``smurf'' to send source-spoofed (spoofed to a victim host's IP address) ICMP request packets to 44 network broadcast addresses and causes all the machines in those networks to send back ICMP reply packets to the victim host. Ping of death is a large ICMP packet sent by a workstation to a target. The target receives the ping packet in IP fragments [36] and has to reassemble it in a buffer. However, because the size of the reassembled packet is too big for the buffer, it overflows the buffer. This causes unpredictable results, such as reboots or hangs.
In Chapter 5 we will see that flood ping can cause increasing wire round-trip delays and packet drop, even with only a thousand ICMP request packets and their replies. With many more packets, both the network and the destination host will suffer more serious performance degradation. The network could be artificially congested and the destination host could be kept so busy returning the reply packets that it could do little else, effectively preventing others from using that host.
Regarding the use of flood ping in the study, we argue that flood ping is ethically not acceptable with the intention to attack other Internet users, but for research purposes, it is. For malicious purposes, a flood ping attacker keeps sending flood ping packets for a long time in order to make the attack effective. In this study, no more than 1,000 flood ping packets are sent per remote site per experiment. This ensures that the potential disturbance to the network and the destination host is tightly restrained.