Table of Contents
What is a ping of death attack?
Imagine a machine, like a laptop or a server, that some unscrupulous hackers want to freeze or crash. To do so, these hackers prepare to target it with a ping of death (PoD) attack. The PoD is another name for denial-of-service attacks. The attack basically sends a packet to the targeted machine that’s bigger than the maximum allowable size.
How does a ping of death attack work?
Before a PoD attack, a hacker basically sends a ping to the targeted machine and gets an echo reply. This means that the connection between the source machine and the target machine is intact.
These ping packets are usually very small. IP4 ping packets have the max allowable packet size of 65,535 bytes. To launch a PoD attack, the hacker sends ping packets larger than 110,000 bytes to the target machine.
Since some TCP/IP systems can’t handle such packet sizes, they are broken into segments. These segments are well below the max size limit. What happens next is that the target machine tries to put the pieces back together. In doing so, the total packet size exceeds the limit, resulting in a buffer overflow. This causes the target machine to crash, freeze or reboot.
This sort of attack can be transmitted over TCP, UDP and IPX protocols as well. Basically, anything that sends an IP datagram.
How is a ping of death DDoS attack mitigated?
There are a number of security measures that help protect against DDoS attacks. You can either create a memory buffer with enough leeway to handle larger packets that exceed normal limits. Or you can add checks during the packet reassembly process that protects against reconstructed packets of large sizes.
For devices manufactured after 1998, the Ping of Death attack is nothing to worry about. However, some legacy equipment is still susceptible to PoD attacks.
A new Ping of Death attack that affects IPv6 packets was discovered and patched in mid-2013. Additionally, Cloudflare servers can also protect you against DDoS by eliminating malformed packets before they can reach the host.
Prevent a ping flood in 4 steps
To prevent a ping flood, here are 4 things that you should always do:
- Keep your software updated. Developers keep patching vulnerabilities in their software as they get discovered. Make sure you update your apps right away.
- Filter the traffic. You can block fragmented pings from devices on your network. As a system administrator, you can only allow standard pings to go through.
- Reassembly assessment. System administrators should go over the packet size limits. In case you have blocked large amounts of data to come through after packets, a crash may be imminent.
- Use a buffer. Create an overflow buffer to handle packets that exceed the allowable size.
The Ping Command
To understand how a ping of death attack occurs, let us take a look at a network utility called “ping.” To check network connectivity, users can send a ‘ping’ command. This command works exactly like a pulse – a signal is sent out, and the machine waits for an echo signal in return. An Internet Control Message Protocol (ICMP) echo-reply message to be precise.
These pings are limited to 65,535 bytes max. Anything exceeding it can crash the target system.
Changing Ping into a Ping of Death Command
Unscrupulous hackers employ the ping command to trigger a ping of death. To accomplish this, they create a simple loop that sends pings bigger than the 65,535-byte limit to the target machine. The machine crashes while trying to put these larger-than-normal pings together.
Exploiting the Vulnerability
The rules of Internet Protocol (IP) only allow for packets that are 65,535 bytes. To circumvent this limit, attackers send fragments of data that exceed this limit once reconstructed on the target system. The oversized packet ends up causing a memory overflow, triggering a crash or reboot on the target machine.
Does the Ping of Death Still Work?
The PoD first appeared in the mid-1990s. By 1998, hardware manufacturers had incorporated security features that made computers and internet devices immune to these types of attacks.
You only need to worry about ping of death attacks if:
- You have old legacy equipment.
- You have an unpatched copy of Windows XP and Windows Server 2013 running on systems that exploited a weakness in OpenType fonts.
- In October 2020, your Windows system had an unpatched kernel driver in TCPIP.sys.
How To Protect My Organization from the Ping of Death?
Here are some steps you can take:
- Avoid using legacy equipment before 1998.
- ICMP ping messages should be blocked through firewalls.
- DDoS Protection services take care of malformed packets before they reach the target machine.
FAQs
What is a ping of death attack?
It is a type of denial-of-service attack that happens as hackers overload a target system with larger-than-normal data packets and ICMP ping messages.
Is a ping of death attack worrying today?
Modern hardware manufacturers have made ping of death attacks extinct. Still, ping of death attacks can happen by exploiting software or platform vulnerabilities.
How can my organization protect itself from the ping of death attacks?
Make sure you keep your computer systems and devices updated and patched. Also, avoid legacy equipment. Additionally, you can set up a firewall that blocks ICMP ping messages. And lastly, you can use services that offer distributed-denial-of-service (DDoS) protection features.