What is a Ping of Death?
Ping of Death (POD) is a form of denial-of-service (DoS) attack that exploits vulnerabilities in the fragmentation of Internet Control Message Protocol (ICMP) packets. By sending malformed or oversized ICMP packets, attackers can crash, freeze, or reboot victims’ systems.
How Does a Ping of Death Attack Work?
The Ping of Death attack involves exploiting the ICMP protocol and IP fragmentation. Here’s a quick overview of how it works:
- The attacker sends an ICMP (ping) packet that is larger than the maximum allowed size of 65,535 bytes.
- This oversized packet gets fragmented into multiple, smaller packets by the attacker’s system before sending.
- The receiving system tries to reassemble these fragments back into the larger packet.
- The reassembly process fails because the packet exceeds the maximum size, causing the system to crash or freeze.
The key is that fragmented packets do not contain information about the overall size of the original large packet. So, the receiving system has no way to know if the final reassembled packet will exceed the allowed size until it’s too late.
This attack can be performed using readily available tools and can target various operating systems and devices including routers, firewalls, and servers. Some systems are more vulnerable than others depending on how they handle packet reassembly.
History and Discovery of the Ping of Death
The Ping of Death was first presented in 1996 by a group of security researchers. It gained widespread notoriety when it was used to crash machines running Windows 95 and Windows NT operating systems.
At the time, it also affected many router and firewall vendors. The Ping of Death highlighted inherent weaknesses in the TCP/IP suite’s handling of fragmented packets.
After its discovery, the Ping of Death vector was widely shared online and became exploited by attackers to take down victims’ systems. It exemplified the rising threat that denial-of-service and similar attacks posed in the late 1990s as Internet adoption began to grow rapidly.
Preventing Ping of Death Attacks
There are several methods to prevent or mitigate Ping of Death attacks:
Patch Systems
Vendors released patches for operating systems and network devices that implemented better packet reassembly and fragmentation handling. Keeping systems patched and updated is one of the best protections.
Block ICMP at the Firewall
Network perimeter firewalls can be configured to block all incoming ICMP packets to prevent pings from reaching vulnerable systems. However, this can also block legitimate troubleshooting pings.
Reduce Fragmentation
Adjust the Maximum Transmission Unit (MTU) on networks to reduce the need for fragmentation. Attackers rely on fragmentation to hide the packet sizes.
Intrusion Detection Systems
Network and host-based IDS can detect abnormal fragmentation and block oversized ICMP packets. Signatures can identify Ping of Death and other fragmentation exploits.
Packet Size Validation
Performing checks on packet sizes during reassembly can prevent buffer overflow or errors when the fragments exceed limits. Dropping oversized packets mitigates the risk.
Ping of Death in Cloud Environments
With the widespread adoption of cloud computing and virtualization, Ping of Death has evolved as a threat vector in these environments.
- Attacking hypervisors: The virtualization hypervisor that manages guest virtual machines (VMs) can be targeted by sending malformed pings to its management interfaces. This can lead to DoS conditions for multiple hosted VMs.
- Cross-VM attacks: Ping packets can be crafted to exploit VM isolation boundaries and impact adjacent VMs hosted on a compromised hypervisor.
- Cloud instance flooding: Cloud instances or containers with public IP addresses can be bombarded with high volumes of Ping of Death payloads, consuming resources.
- Cloud network saturation: High traffic volumes of large ping packets directed at cloud-based network infrastructure components, like load balancers, can saturate internal bandwidth.
Ongoing Ping of Death Threats
While patches, firewalls, and other measures can prevent Ping of Death attacks, vulnerabilities related to IP fragmentation handling still persist. Some key risks include:
- Protocol design flaws: Fundamental IP fragmentation issues enable various fragment manipulation attacks, of which Ping of Death is one type. These flaws cannot be completely patched.
- Embedded devices: Many modern embedded systems and IoT devices lack fragmentation handling protections and can be taken down using Ping of Death techniques.
- Protocol-aware firewalls: Legacy firewalls without deep packet inspection often fail to detect fragmentation exploits.
- IPv6: Expanding IPv6 adoption reopens fragmentation and reassembly vulnerabilities if not implemented properly by vendors.
Overall, Ping of Death represents the ingenuity of attackers to find and leverage low-level protocol weaknesses for malicious purposes.
Defending Against Ping of Death with Imperva DDoS Protection
Imperva DDoS Protection proxies all incoming traffic to block network layer (layer 3/4) attacks or malformed packets, such as Ping of Death, from reaching an organization’s infrastructure.
Imperva secures websites, networks, DNS servers and individual IPs from the largest and most sophisticated types of DDoS attacks. The cloud-based service keeps businesses up and running, even if they’re under attack, with minimal business disruption.
Imperva DDoS Protection is part of the Imperva Application Security Platform, which also consists of the market-leading web application firewall (WAF), Advanced Bot Protection, API Security, and more.
