What can I do about "ping flooding"?

Recently I have started getting period of poor connections on my home LAN. So, today after my connection was unresponsive for a while once again, I decided to take a look at what was the problem. The log of my router was filled with messages like this one:

PING-FLOODING flooding attack from WAN (ip:xx.yy.zzz.qq) detected.

The ip address was different on each of the messages. I am now wondering what I can do about this. A quick search on google showed me that the best way to combat this is to make i so that my router doesn't respond to pings. However, when I look at the settings, I only see this one:

WAN PING

If you enable this feature, the WAN port of your router will respond to 
ping requests from the Internet that are sent to the WAN IP Address.

Unfortunately, it isn't enabled! As such, I feel the problem should not be happening and I don't know what else I can do about it.

Any suggestions?

Jasper

Posted 2012-04-04T15:02:13.900

Reputation: 219

Every IP was different? If so someone may intentionally be preforming a distributed denial of service attack on you. Kind of odd though since this kind of attack is usually used on public websites or to mask other intrusion activities. Do you have static public IP? – Supercereal – 2012-04-04T15:15:38.377

Are you on a static or dynamic IP - if dynamic change the IP (reboot the router). – BJ292 – 2012-04-04T15:15:51.043

I think my ip is static - it happens to be a pretty common thing here in The Netherlands (at least, that's the impression I am getting). I don't know exactly, though, as I am renting with internet included in a student flat. We are on a load-balanced network and I have an UTP port in my room which I connect to my router. – Jasper – 2012-04-04T15:33:45.707

Contact your local authorities or ISP about the ping flooding (denial of service attack), it may be illegal for someone to do this, so they may look into it for you. Even though your router is set properly to drop ping requests it can still be flooded with them causing it to not respond to other legitimate protocol requests. – Moab – 2012-04-04T19:41:28.310

"A quick search on google showed me that the best way to combat this is to make i so that my router doesn't respond to pings." That will help preserve your outbound bandwidth, but it won't do anything about the consumption of your inbound bandwidth. – David Schwartz – 2013-01-04T01:02:54.700

Can you describe the problem in some kind of detail. "Periods of poor connections" is extremely vague. Are these connections between devices on your LAN? Or only connections to the Internet? Poor how? High latency? Low bandwidth? Or what? – David Schwartz – 2013-04-14T12:02:20.553

Answers

Pings on your external (WAN) interface should not be affecting traffic on your LAN.

Unless there's hundreds of pings every second, it shouldn't be causing any perceptible difference to the traffic going from your LAN to your WAN, either.

It's probably some miscreants pingsweeping, looking for random targets to portscan and try to hack into. It happens all the time.

I think that these log entries have probably been getting logged for a very long time on your router, but you only noticed them recently when looking at a speed issue.

You can:

i) Ignore it. These pingsweeps happen to pretty much everyone. ii) Get a new IP assignment from your ISP. Won't help unless you're sure the pings are targeted at you specifically. iii) Take a note of all the IP addresses which have been recorded as pinging you, lookup who owns them and report the activity to the relevant abuse@ email address. Nothing will happen - you will be lucky to get an auto-acknowledgement email back.

Personally, I'd go with with option i, and look elsewhere for the cause of the network performance issues.

Adam Thompson

Posted 2012-04-04T15:02:13.900

Reputation: 1 954

For a moment there, I thought you had to be right because I suddenly noticed that the log entries were all of a couple of months ago. However, when I finally found the time settings of my router, it just turned out that it thought that the current date was off by a few months and 12 years... so the entries are actually recent after all. – Jasper – 2012-04-04T15:45:15.750

I am not convinced these aren't the problem just yet. I am regularly getting bursts of 6 or more of these report in a minute and it's likely that you need quite a few ping messages even for a single PING FLOOD message is logged. – Jasper – 2012-04-04T16:40:02.020

You may also be right that these messages ma have been logged for much longer than I noticed it, but I can't check since my log is filled with messages just from today. As a matter of fact, over one fifth (80) of the messages is from since I changed the date, which was after asking this question and very convincing majority of them is ping flood messages. – Jasper – 2012-04-04T16:44:52.607

Even if your router is not responding to pings, it is still receiving them, and they are still consuming your incoming bandwidth.

You might try the following:

Unplug your router for a few minutes and plug it back in, and see if it gets a new IP from your provider. Getting a new IP would temporarily prevent the attacker from doing this until it figures out your new IP.

~~- Receive some of the pings and see if the source IP address leads anywhere. It's likely spoofed and won't help you, though.~~ - just realized you said all addresses are different...

Call your ISP and see what they can do to help.

LawrenceC

Posted 2012-04-04T15:02:13.900

Reputation: 63 487

In my router's config screen, I clicked "DHCP Release" and "DHCP renew" under the "Internet" header. My ip did not change (and the given ip corresponds to my public ip). Is there any added value to turning the router off? – Jasper – 2012-04-04T16:53:12.593

Yes and no. Getting a new IP from your provider isnt "easy." You need to know what the DHCP timeout is. There is no standard value, and the ISP may set it to be anything from 4 hours to 4 days. Another issue is that even if the timeout is 4 hours and you turn your modem off for 5 hours, turn it back on, in many cases the DHCP server may give you the same IP address if it is available. And even if you get a new IP address, a hacker is still going to sweep your address, as you are on the same network as you were before. – Keltari – 2012-08-26T00:23:15.393