What non malicious uses are there for ping's flood (-f) option?

Question

I have been reading up on common ways in which people attack each other on the internet through things like DDOS attacks etc, and how one would defend oneself from such attacks, and I have come across the fact that with the Ubuntu ping tool there is a "Flood ping" option:

ping -f <WhatToPing>

So I would assume that there must be other uses for ping flooding then, other than the malicious DOS attack one, so that is really my question, in what circumstances would you normally use the -f option when not attempting to do something malicious?

Answer 1

That's obviously ;-) to test whether your system hardening has worked out and that your TCP/IP stack will not be flooded by ping flooding any more …

E.g. that your system won't keel over by dropping the enormous amount of ICMP packets that it receives.

Answer 2

This can be used to check if the network is reliable or if it is overloaded. The usual one ICMP message per seconds would be too slow for such purposes. Please note that 100 ICMP packets per seconds is very far from being a DOS attack in today's networks. That is only about 150 KB/s even if you specifically send unusually large ping messages.

Answer 3

In addition to the other answers listed here about confirming how well hardened a host is, I have used the ping -f as a poor man's bandwidth testing tool for very narrow links.

More comprehensive tools like Fluke and Iperf require a cooperating agent at both ends of your link, but if you wish to test bandwidth to a point on your network that cannot easily have a cooperating endpoint (such as a client's demarc router) then as long as the endpoint can at least reply to large ICMP echo packets then you can determine a lower bound to available bandwidth at that time.

Answer 4

Long ago, I was in a university computer lab where we had... interesting wiring. Apparently, the signal in thicknet is the same as the signal in thinnet and some engineering student had created what looked like a terminator for thicknet and thinnet smashed together... a barrel connector with 10b5 on one side and 10b2 on the other. This was obviously not anything resembling a best practice in any sense of the word.

This worked, for some definition of worked. Thicknet was a bit pickier about the standing wave in the wire than thinnet was, but we had a thicknet cable that went along one wall, this connector, and then thinnet on the other wall.

The problem occurred when we added machines to the thinnet side because we wouldn't get the standing wave right and machines would disappear from the network until we got the right combination of lengths of wire between the thinnet T plugs.

There was one machine (lets say it was at 10.10.10.10) that was plugged into a different part of the network (the 10bT part) so was completely unaffected by all of the other network changes. When we would add (or remove) machines from the network, we would set up:

ping -f 10.10.10.10 > /dev/audio

As long as packets are flowing to the machine, the speaker was making noise. Network not visible for that machine and its silent.

And then go about trying different cables. When all of the machines were chattering away, we were done.

Answer 5

You can watch the dots from across the room while wiggling the cables to find the faulty connection.

Answer 6

You can definitely use it for stress testing your own machine as others have said, however at the place I'm interning at the IT professional usually uses it when rebooting a machine remotely, when the machine is back online he will know because it will start responding to the requests.

Answer 7

I've used ping -f in the past to see if my lines are dropping packets at higher rates and to see if router error counters are increasing. According to the man page only a 0 rate ( which is as fast as it can go ) can be executed by a super-user.

I agree with others that ping -f is not a great tool to use for this purpose. Netperf, iperf or other bandwidth tools are much better.