Ping of death

Last updated April 15, 2024

A ping of death is a type of attack on a computer system that involves sending a malformed or otherwise malicious ping to a computer.^[1] In this attack, a host sends hundreds of ping requests with a packet size that is large or illegal to another host to try to take it offline or to keep it preoccupied responding with ICMP Echo replies.^[2]

A correctly formed ping packet is typically 56 bytes in size, or 64 bytes when the Internet Control Message Protocol (ICMP) header is considered, and 84 bytes including Internet Protocol (IP) version 4 header. However, any IPv4 packet (including pings) may be as large as 65,535 bytes. Some computer systems were never designed to properly handle a ping packet larger than the maximum packet size because it violates the Internet Protocol.^[3]^[4] Like other large but well-formed packets, a ping of death is fragmented into groups of 8 octets before transmission. However, when the target computer reassembles the malformed packet, a buffer overflow can occur, causing a system crash and potentially allowing the injection of malicious code. The excessive byte size prevents the machine from processing it effectively, impacting the cloud environment and causing disruptions in the operating system processes leading to reboots or crashes.^[5]

In early implementations of TCP/IP, this bug is easy to exploit and can affect a wide variety of systems including Unix, Linux, Mac, Windows, and peripheral devices. As systems began filtering out pings of death through firewalls and other detection methods, a different kind of ping attack known as ping flooding later appeared, which floods the victim with so many ping requests that normal traffic fails to reach the system (a basic denial-of-service attack).

The ping of death attack has been largely neutralized by advancements in technology. Devices produced after 1998 include defenses against such attacks,^{[ specify ]} rendering them resilient to this specific threat. However, in a notable development, a variant targeting IPv6 packets on Windows systems was identified, leading Microsoft to release a patch in mid-2013.^[6]

Detailed information

The maximum packet length of an IPv4 packet including the IP header is 65,535 (2¹⁶ − 1) bytes,^[3] a limitation presented by the use of a 16-bit wide IP header field that describes the total packet length.

The underlying data link layer almost always poses limits to the maximum frame size (See MTU). In Ethernet, this is typically 1500 bytes. In such a case, a large IP packet is split across multiple IP packets (also known as IP fragments), so that each IP fragment will match the imposed limit. The receiver of the IP fragments will reassemble them into the complete IP packet and continue processing it as usual.

When fragmentation is performed, each IP fragment needs to carry information about which part of the original IP packet it contains. This information is kept in the Fragment Offset field, in the IP header. The field is 13 bits long, and contains the offset of the data in the current IP fragment, in the original IP packet. The offset is given in units of 8 bytes. This allows a maximum offset of 65,528 ((2¹³-1)*8). Then when adding 20 bytes of IP header, the maximum will be 65,548 bytes, which exceeds the maximum frame size. This means that an IP fragment with the maximum offset should have data no larger than 7 bytes, or else it would exceed the limit of the maximum packet length. A malicious user can send an IP fragment with the maximum offset and with much more data than 8 bytes (as large as the physical layer allows it to be).

When the receiver assembles all IP fragments, it will end up with an IP packet which is larger than 65,535 bytes. This may possibly overflow memory buffers which the receiver allocated for the packet, and can cause various problems.

As is evident from the description above, the problem has nothing to do with ICMP, which is used only as payload, big enough to exploit the problem. It is a problem in the reassembly process of IP fragments, which may contain any type of protocol (TCP, UDP, IGMP, etc.).

The correction of the problem is to add checks in the reassembly process. The check for each incoming IP fragment makes sure that the sum of "Fragment Offset" and "Total length" fields in the IP header of each IP fragment is smaller or equal to 65,535. If the sum is greater, then the packet is invalid, and the IP fragment is ignored. This check is performed by some firewalls, to protect hosts that do not have the bug fixed. Another fix for the problem is using a memory buffer larger than 65,535 bytes for the re-assembly of the packet. (This is essentially a breaking of the specification, since it adds support for packets larger than those allowed.)

Ping of death in IPv6

In 2013, an IPv6 version of the ping of death vulnerability was discovered in Microsoft Windows. Windows TCP/IP stack did not handle memory allocation correctly when processing incoming malformed ICMPv6 packets, which could cause remote denial of service. This vulnerability was fixed in MS13-065 in August 2013.^[7]^[8] The CVE-ID for this vulnerability is CVE - 2013-3183.^[9] In 2020, another bug (CVE - 2020-16898) in ICMPv6 was found around Router Advertisement, which could even lead to remote code execution.^[10]

Related Research Articles

The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information indicating success or failure when communicating with another IP address. For example, an error is indicated when a requested service is not available or that a host or router could not be reached. ICMP differs from transport protocols such as TCP and UDP in that it is not typically used to exchange data between systems, nor is it regularly employed by end-user network applications.

Internet Protocol version 4 (IPv4) is the fourth version of the Internet Protocol (IP). It is one of the core protocols of standards-based internetworking methods in the Internet and other packet-switched networks. IPv4 was the first version deployed for production on SATNET in 1982 and on the ARPANET in January 1983. It is still used to route most Internet traffic today, even with the ongoing deployment of Internet Protocol version 6 (IPv6), its successor.

The Internet Protocol (IP) is the network layer communications protocol in the Internet protocol suite for relaying datagrams across network boundaries. Its routing function enables internetworking, and essentially establishes the Internet.

In computer networking, the maximum transmission unit (MTU) is the size of the largest protocol data unit (PDU) that can be communicated in a single network layer transaction. The MTU relates to, but is not identical to the maximum frame size that can be transported on the data link layer, e.g., Ethernet frame.

ping is a computer network administration software utility used to test the reachability of a host on an Internet Protocol (IP) network. It is available for virtually all operating systems that have networking capability, including most embedded network administration software.

The Transmission Control Protocol (TCP) is one of the main protocols of the Internet protocol suite. It originated in the initial network implementation in which it complemented the Internet Protocol (IP). Therefore, the entire suite is commonly referred to as TCP/IP. TCP provides reliable, ordered, and error-checked delivery of a stream of octets (bytes) between applications running on hosts communicating via an IP network. Major internet applications such as the World Wide Web, email, remote administration, and file transfer rely on TCP, which is part of the Transport layer of the TCP/IP suite. SSL/TLS often runs on top of TCP.

In computing, traceroute and tracert are computer network diagnostic commands for displaying possible routes (paths) and measuring transit delays of packets across an Internet Protocol (IP) network. The history of the route is recorded as the round-trip times of the packets received from each successive host in the route (path); the sum of the mean times in each hop is a measure of the total time spent to establish the connection. Traceroute proceeds unless all sent packets are lost more than twice; then the connection is lost and the route cannot be evaluated. Ping, on the other hand, only computes the final round-trip times from the destination point.

In computer networking, the User Datagram Protocol (UDP) is one of the core communication protocols of the Internet protocol suite used to send messages to other hosts on an Internet Protocol (IP) network. Within an IP network, UDP does not require prior communication to set up communication channels or data paths.

Network address translation (NAT) is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was originally used to bypass the need to assign a new address to every host when a network was moved, or when the upstream Internet service provider was replaced, but could not route the network's address space. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network.

IP fragmentation is an Internet Protocol (IP) process that breaks packets into smaller pieces (fragments), so that the resulting pieces can pass through a link with a smaller maximum transmission unit (MTU) than the original packet size. The fragments are reassembled by the receiving host.

The maximum segment size (MSS) is a parameter of the Options field of the TCP header that specifies the largest amount of data, specified in bytes, that a computer or communications device can receive in a single TCP segment. It does not count the TCP header or the IP header. The IP datagram containing a TCP segment may be self-contained within a single packet, or it may be reconstructed from several fragmented pieces; either way, the MSS limit applies to the total amount of data contained in the final, reconstructed TCP segment.

A network socket is a software structure within a network node of a computer network that serves as an endpoint for sending and receiving data across the network. The structure and properties of a socket are defined by an application programming interface (API) for the networking architecture. Sockets are created only during the lifetime of a process of an application running in the node.

Internet Control Message Protocol version 6 (ICMPv6) is the implementation of the Internet Control Message Protocol (ICMP) for Internet Protocol version 6 (IPv6). ICMPv6 is an integral part of IPv6 and performs error reporting and diagnostic functions.

An ICMP tunnel establishes a covert connection between two remote computers, using ICMP echo requests and reply packets. An example of this technique is tunneling complete TCP traffic over ping requests and replies.

Path MTU Discovery (PMTUD) is a standardized technique in computer networking for determining the maximum transmission unit (MTU) size on the network path between two Internet Protocol (IP) hosts, usually with the goal of avoiding IP fragmentation. PMTUD was originally intended for routers in Internet Protocol Version 4 (IPv4). However, all modern operating systems use it on endpoints. In IPv6, this function has been explicitly delegated to the end points of a communications session. As an extension to the standard path MTU discovery, a technique called Packetization Layer Path MTU Discovery works without support from ICMP.

The internet layer is a group of internetworking methods, protocols, and specifications in the Internet protocol suite that are used to transport network packets from the originating host across network boundaries; if necessary, to the destination host specified by an IP address. The internet layer derives its name from its function facilitating internetworking, which is the concept of connecting multiple networks with each other through gateways.

IP fragmentation attacks are a kind of computer security attack based on how the Internet Protocol (IP) requires data to be transmitted and processed. Specifically, it invokes IP fragmentation, a process used to partition messages from one layer of a network into multiple smaller payloads that can fit within the lower layer's protocol data unit (PDU). Every network link has a maximum size of messages that may be transmitted, called the maximum transmission unit (MTU). If the SDU plus metadata added at the link layer exceeds the MTU, the SDU must be fragmented. IP fragmentation attacks exploit this process as an attack vector.

An IP header is header information at the beginning of an Internet Protocol (IP) packet. An IP packet is the smallest message entity exchanged via the Internet Protocol across an IP network. IP packets consist of a header for addressing and routing, and a payload for user data. The header contains information about IP version, source IP address, destination IP address, time-to-live, etc. The payload of an IP packet is typically a datagram or segment of the higher-level transport layer protocol, but may be data for an internet layer or link layer instead.

An IPv6 packet is the smallest message entity exchanged using Internet Protocol version 6 (IPv6). Packets consist of control information for addressing and routing and a payload of user data. The control information in IPv6 packets is subdivided into a mandatory fixed header and optional extension headers. The payload of an IPv6 packet is typically a datagram or segment of the higher-level transport layer protocol, but may be data for an internet layer or link layer instead.

The Stream Control Transmission Protocol (SCTP) is a computer networking communications protocol in the transport layer of the Internet protocol suite. Originally intended for Signaling System 7 (SS7) message transport in telecommunication, the protocol provides the message-oriented feature of the User Datagram Protocol (UDP), while ensuring reliable, in-sequence transport of messages with congestion control like the Transmission Control Protocol (TCP). Unlike UDP and TCP, the protocol supports multihoming and redundant paths to increase resilience and reliability.

References

↑ Abdollahi, Asrin; Fathi, Mohammad (2020-01-23). "An Intrusion Detection System on Ping of Death Attacks in IoT Networks". Wireless Personal Communications. 112 (4): 2057–2070. doi:10.1007/s11277-020-07139-y. ISSN 0929-6212. S2CID 213121777.
↑ Elleithy, Khaled; Blagovic, Drazen; Cheng, Wang; Sideleau, Paul (2005-01-01). "Denial of Service Attack Techniques: Analysis, Implementation and Comparison". School of Computer Science & Engineering Faculty Publications.
1 2 J. Postel, ed. (September 1981). INTERNET PROTOCOL - DARPA INTERNET PROGRAM PROTOCOL SPECIFICATION. IETF. doi: 10.17487/RFC0791 . STD 5. RFC 791.IEN 128, 123, 111, 80, 54, 44, 41, 28, 26.Internet Standard 5. Obsoletes RFC 760. Updated by RFC 1349, 2474 and 6864.
↑ Erickson, Jon (2008). HACKING the art of exploitation (2nd ed.). San Francisco: NoStarch Press. p. 256. ISBN 978-1-59327-144-2.
↑ Bhardwaj, Akashdeep (2023-06-12), "Solutions for DDoS Attacks on Cloud Environment", New Age Cyber Threat Mitigation for Cloud Computing Networks, BENTHAM SCIENCE PUBLISHERS, pp. 42–55, ISBN 978-981-5136-11-1 , retrieved 2024-02-09
↑ "Ping of death DDoS attack". Cloudflare.
↑ "Microsoft Security Bulletin MS13-065 - Important". Microsoft. August 13, 2013. Retrieved February 25, 2017.
↑ Jackson, Joab (Aug 13, 2013). "Microsoft Patch Tuesday: The Ping of Death returns, IPv6-style" . Retrieved February 25, 2017.
↑ "CVE - CVE-2013-3183". The MITRE Corporation. Retrieved February 25, 2017.
↑ "CVE-2020-16898 - Windows TCP/IP Remote Code Execution Vulnerability". Microsoft. October 13, 2020. Retrieved October 14, 2020.

External links

The Ping o' Death Page at the Wayback Machine (archived December 6, 1998)
Ping of death at Insecure.Org

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Abdollahi, Asrin; Fathi, Mohammad (2020-01-23). "An Intrusion Detection System on Ping of Death Attacks in IoT Networks". Wireless Personal Communications. 112 (4): 2057–2070. doi:10.1007/s11277-020-07139-y. ISSN 0929-6212. S2CID 213121777.

[2] Elleithy, Khaled; Blagovic, Drazen; Cheng, Wang; Sideleau, Paul (2005-01-01). "Denial of Service Attack Techniques: Analysis, Implementation and Comparison". School of Computer Science & Engineering Faculty Publications.

[rfc791-3] 1 2 J. Postel, ed. (September 1981). INTERNET PROTOCOL - DARPA INTERNET PROGRAM PROTOCOL SPECIFICATION. IETF. doi: 10.17487/RFC0791 . STD 5. RFC 791.IEN 128, 123, 111, 80, 54, 44, 41, 28, 26.Internet Standard 5. Obsoletes RFC 760. Updated by RFC 1349, 2474 and 6864.

[ERICK2008-4] Erickson, Jon (2008). HACKING the art of exploitation (2nd ed.). San Francisco: NoStarch Press. p. 256. ISBN 978-1-59327-144-2.

[5] Bhardwaj, Akashdeep (2023-06-12), "Solutions for DDoS Attacks on Cloud Environment", New Age Cyber Threat Mitigation for Cloud Computing Networks, BENTHAM SCIENCE PUBLISHERS, pp. 42–55, ISBN 978-981-5136-11-1 , retrieved 2024-02-09

[6] "Ping of death DDoS attack". Cloudflare.

[7] "Microsoft Security Bulletin MS13-065 - Important". Microsoft. August 13, 2013. Retrieved February 25, 2017.

[8] Jackson, Joab (Aug 13, 2013). "Microsoft Patch Tuesday: The Ping of Death returns, IPv6-style" . Retrieved February 25, 2017.

[9] "CVE - CVE-2013-3183". The MITRE Corporation. Retrieved February 25, 2017.

[10] "CVE-2020-16898 - Windows TCP/IP Remote Code Execution Vulnerability". Microsoft. October 13, 2020. Retrieved October 14, 2020.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]