Ping of Death (PoD)
A ping of death (PoD) is a cyberattack in which an incorrectly large ICMP echo request packet is sent (a “ping”) to cause the target machine to crash and overflow its input buffers. A similar attack known as an ICMP flood attack is more common today than a ping of death attack.
The ping of death attack is a denial-of-service (DoS) attack that typically targets and exploits legacy weaknesses previously patched. A DoS attack is intended to shut down a machine or network so users cannot access it. DoS attacks accomplish this by flooding the target with traffic or sending it information that triggers a crash. A ping of death happens when a cyberattacker targets computers with oversized data packets, which cause the computers to crash or freeze. This type of DoS attack targets vulnerabilities and weaknesses that have been patched and mitigated in many organizations. The ping of death is an old attack type from the 1990s, and most computers have been protected against the ping of death attacks. Today, many websites block Internet Control Message Protocol (ICMP) messages.
ICMP is critical for error reporting and testing. The ICMP is a network layer protocol used by devices to help diagnose network communication problems. ICMP enables you to understand if data is reaching the correct destination in a timely and expected way. For these reasons, the ICMP protocol is often used on network devices like routers. In the case of a router, if the data packet is too large, then the router ignores the package and generates an ICMP message sent back to the originating source of the data. ICMP protocol is also used to support network diagnostics. Both traceroute and ping are based on using ICMP. The traceroute utility shows connections and the physical routing between two Internet locations. Each trip between routers is shown as a hop, for which the time is also reported.
Oversize packets are the basis of the ping of death attacks. An Internet Protocol version 4 (IPv4) packet consists of 65,535 bytes. The IPv4 packet headers contain 20 bytes of data and are 32 bits long. The header includes 13 multipurpose fields with data on the application, data type, source, and destination addresses.
Most existing computers simply cannot handle larger packets. Sending a larger 65,536-byte ping packet violates RFC 791 but still can be sent if it is fragmented. Upon receipt, the targeted computer will reassemble the packet when a buffer overflow can occur, often causing a system crash. This vulnerability can be exploited by any source that sends IP datagrams.
So, when the attacker maliciously transmits a large packet to the target, the packet becomes fragmented into segments, each below the maximum size limit. When the target machine attempts to put the pieces back together, the total will exceeds the size limit. At that point, a buffer overflow will cause the target machine to freeze or crash. Anything that can send an IP datagram can be used to support this exploit.
An IPv6 version of the ping of death vulnerability was discovered in Microsoft Windows nearly ten years ago. The Windows TCP/IP stack did not handle memory allocation correctly while handling certain types of ICMPv6 packets. The result was a remote denial of service.
This vulnerability (CVE-2013-3183) was fixed in MS13-065 in August 2013. The exposure was in TCPIP.sys. TCPIP.sys is a kernel driver that could easily reach the core of any Windows system if exploited. When a threat actor successfully exploits the flaw, the most likely result is a hard crash of the computer.
Older computers and equipment can still be vulnerable to the ping of death if they have not been adequately patched and updated. The best prevention is to avoid the use of legacy equipment and to make sure that updates and patches are consistently applied. The ping of death can also be avoided by taking technical actions, reducing the risk of memory overflows.
Firewalls can also be successfully used to block ICMP ping messages. However, this technique may negatively impact performance and reliability. Using distributed denial of service protection services can work to prevent successful ping of death attacks. Malicious packets can be stopped before they reach the targeted computers.
Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.
Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels, across many industries and from around the world.
Get started with Bugcrowd
Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.