Ping of death
A ping of death is a type of attack on a computer system that involves sending a
A correctly formed ping packet is typically 56
In early implementations of
The ping of death attack has been largely neutralized by advancements in technology. Devices produced after 1998 include defenses against such attacks,[specify] rendering them resilient to this specific threat. However, in a notable development, a variant targeting IPv6 packets on Windows systems was identified, leading Microsoft to release a patch in mid-2013.[6]
Detailed information
This section needs additional citations for verification. (April 2024) |
The maximum packet length of an IPv4 packet including the IP header is 65,535 (216 − 1) bytes,[3] a limitation presented by the use of a 16-bit wide IP header field that describes the total packet length.
The underlying data link layer almost always poses limits to the maximum frame size (See MTU). In Ethernet, this is typically 1500 bytes. In such a case, a large IP packet is split across multiple IP packets (also known as IP fragments), so that each IP fragment will match the imposed limit. The receiver of the IP fragments will reassemble them into the complete IP packet and continue processing it as usual.
When
When the receiver assembles all IP fragments, it will end up with an IP packet which is larger than 65,535 bytes. This may possibly overflow memory buffers which the receiver allocated for the packet, and can cause various problems.
As is evident from the description above, the problem has nothing to do with ICMP, which is used only as payload, big enough to exploit the problem. It is a problem in the reassembly process of IP fragments, which may contain any type of protocol (TCP, UDP, IGMP, etc.).
The correction of the problem is to add checks in the reassembly process. The check for each incoming IP fragment makes sure that the sum of "Fragment Offset" and "Total length" fields in the IP header of each IP fragment is smaller or equal to 65,535. If the sum is greater, then the packet is invalid, and the IP fragment is ignored. This check is performed by some firewalls, to protect hosts that do not have the bug fixed. Another fix for the problem is using a memory buffer larger than 65,535 bytes for the re-assembly of the packet. (This is essentially a breaking of the specification, since it adds support for packets larger than those allowed.)
Ping of death in IPv6
In 2013, an IPv6 version of the ping of death vulnerability was discovered in
See also
References
- S2CID 213121777.
- ^ Elleithy, Khaled; Blagovic, Drazen; Cheng, Wang; Sideleau, Paul (2005-01-01). "Denial of Service Attack Techniques: Analysis, Implementation and Comparison". School of Computer Science & Engineering Faculty Publications.
- ^ .
- ISBN 978-1-59327-144-2.
- ISBN 978-981-5136-11-1, retrieved 2024-02-09
- ^ "Ping of death DDoS attack". Cloudflare.
- ^ "Microsoft Security Bulletin MS13-065 - Important". Microsoft. August 13, 2013. Retrieved February 25, 2017.
- ^ Jackson, Joab (Aug 13, 2013). "Microsoft Patch Tuesday: The Ping of Death returns, IPv6-style". Retrieved February 25, 2017.
- ^ "CVE - CVE-2013-3183". The MITRE Corporation. Retrieved February 25, 2017.
- ^ "CVE-2020-16898 - Windows TCP/IP Remote Code Execution Vulnerability". Microsoft. October 13, 2020. Retrieved October 14, 2020.
External links
- The Ping o' Death Page at the Wayback Machine (archived December 6, 1998)
- Ping of death at Insecure.Org