Ping of Death (PoD) is a DoS(Denial of Service) attack in which an attacker attempts to crash, destabilize, or freeze the targeted computer or service by sending malformed or oversized packets using a simple ping command.
FREMONT, CA: While PoD attacks exploit legacy weaknesses that may have been patched in target systems, however, in an unpatched system, the attack is still relevant and dangerous. Lately, a new type of PoD attack has become popular. In this attack, commonly known as a Ping flood, the aimed system is hit with ICMP packets sent rapidly through ping without waiting for replies.
Attack description
The size of a correctly-formed IPv4 packet comprising the IP header is 65,535 bytes, including a total payload size of 84 bytes. Many historical computer systems simply could not manage larger packets and would crash if they received one.
This bug was smoothly exploited in early TCP/IP implementations in many operating systems, including Windows, Mac, Unix, and Linux, and network devices like printers and routers.
Since sending a ping packet greater than 65,535 bytes violates the Internet Protocol, attackers would generally send malformed packets in fragments. When the target system tries to reassemble the fragments and ends up with an oversized packet, a memory overflow could occur and lead to various system problems, including crashes.
Ping of Death attacks was particularly effective because the attacker’s identity could be easily spoofed. Besides, a Ping of Death attacker would need no detailed knowledge of the machine he/she was attacking, except for its IP address.
It is good to note that this vulnerability, though best recognized for its exploitation by PoD attacks, can be exploited by anything that sends an IP datagram – ICMP echo, TCP, UDP and IPX.
Methods of mitigation
Many sites block ICMP ping messages at their firewall to prevent PoD attacks and their variants. Still, this approach is not viable in the long term.
Firstly, invalid packet attacks can be directed at any listening port—like FTP ports—and you may not like to block all of these for operational reasons.
Besides, by blocking ping messages, you prevent legitimate ping use – and there are still utilities that rely on ping for checking that connections are life, for example.
