What is a safe ping frequency without it being considered a DDoS attack?

I am trying to chart the uptime of a server by regularly pinging it and Google and then comparing the ping times. I want to keep doing this over a period of—let’s say—a week.

I am sending a set of 5 pings to each with a timeout of 5 seconds and an interval of 2 minutes between each set. Following is the bash command.

while true; do echo Google; date; ping -c 5 -t 5 www.google.com; sleep 120; echo Outlook; date; ping -c 5 -t 5 https://outlook.office365.com/; sleep 120; done >> pings.txt

I am concerned if the servers see this as a DDoS attack.


Solution 1:

I am sending a set of 5 pings to each with a timeout of 5 seconds and an interval of 2 minutes between each set. […] I am concerned if the servers see this as a DDoS attack.

The shorter answer:

I am quite confident the type of network behavior you describe would never be considered DDoS behavior by a long shot and might simply be seen as normal traffic/diagnostic behavior by systems administrators.

Remember, any public website will be probed on a fairly constant—and endless—basis; systems administrators cannot lose sleep over every system probing event that happens. And firewall rules in place on most competently managed systems catches “low hanging fruit” attacks like this to the point they are truly meaningless.

The longer answer:

I honestly don’t think a set of 5 pings with a 5 second timeout with a “let’s try this again” interval of 2 minutes would be considered anything close to a DDoS attack if this is coming from a single machine. Remember, a DDoS is a distributed denial of service attack with the key word being distributed. Meaning multiple, distributed machines would need to essentially do something “bad” in unison with each other for the attack to be considered DDoS. And even if you had like, 100 servers using that 5 pings, 5 second timeout and 2 minute interval thing, systems administrators might possibly see that as an “interesting” event, but it would not be considered a threat.

Now what would be considered a true DDoS attack which uses ping as the attack agent? The most common form of attack would be a “ping flood” which is defined as follows; bold emphasis is mine:

A ping flood is a simple denial-of-service attack where the attacker overwhelms the victim with ICMP Echo Request (ping) packets. This is most effective by using the flood option of ping which sends ICMP packets as fast as possible without waiting for replies. Most implementations of ping require the user to be privileged in order to specify the flood option. It is most successful if the attacker has more bandwidth than the victim (for instance an attacker with a DSL line and the victim on a dial-up modem). The attacker hopes that the victim will respond with ICMP Echo Reply packets, thus consuming both outgoing bandwidth as well as incoming bandwidth. If the target system is slow enough, it is possible to consume enough of its CPU cycles for a user to notice a significant slowdown.

Meaning the only way a ping DDoS could happen is if bandwidth is flooded on the victims side to the point systems are rendered so slow they are “down.”

To implement a true, simple “ping flood” from the command line you would need to run a command like this:

sudo ping -f localhost

Now you are wondering what would happen if you—let’s say—ran that command with a real target. Well, if you do it from your lone computer to a target it wouldn’t look like much at all on the receiving side. Simply endless ping requests that would barely consume bandwidth. But honestly most competent web systems administrators have their servers setup with firewall rules to block ping floods anyway. So again, you yourself on one system won’t trigger anything close to a DDoS condition. But get a few hundred servers to do that to a target system and then you have behavior that would be considered a DDoS attack.