Ping of death

Ping of death

A ping of death (abbreviated "POD") is a type of attack on a computer that involves sending a malformed or otherwise malicious ping to a computer. A ping is normally 64 bytes in size (or 84 bytes when IP header is considered); many computer systems cannot handle a ping larger than the maximum IP packet size, which is 65,535 bytes. Sending a ping of this size can crash the target computer.

Traditionally, this bug has been relatively easy to exploit. Generally, sending a 65,536 byte ping packet is illegal according to networking protocol, but a packet of such a size can be sent if it is fragmented; when the target computer reassembles the packet, a buffer overflow can occur, which often causes a system crash.

This exploit has affected a wide variety of systems, including Unix, Linux, Mac, Windows, printers, and routers. However, most systems since 1997-1998 have been fixed, so this bug is mostly historical.

In recent years, a different kind of ping attack has become wide-spread - ping flooding simply floods the victim with so much ping traffic that normal traffic fails to reach the system (a basic denial-of-service attack).

Detailed information

As defined in RFC 791, the maximum packet length of IP is 65,535 (2^{16}-1) bytes, including the IP header, due to the IP header using 16 bits to describe the total packet length.

The underlying physical layer almost always poses limits to the maximum frame size (See MTU). In Ethernet, this is typically 1500 bytes. In such a case, a large IP packet is split across multiple IP packets (A.K.A IP fragments), so that each IP fragment will match the imposed limit. The receiver of the IP fragments will reassemble them into the complete IP packet, and will continue processing it as usual.

When fragmentation is performed, each IP fragment needs to carry information about which part of the original IP packet it contains. This information is kept in the Fragment Offset field, in the IP header. The field is 13 bits long, and contains the offset of the data in the current IP fragment, in the original IP packet. The offset is given in units of 8 bytes .

This allows a maximum offset 65,528 ((2^{13}-1) imes8). This means that an IP fragment with the maximum offset should have data no larger than 7 bytes, else it would exceed the limit of the maximum packet length. A malicious user can send an IP fragment with the maximum offset, with data much larger than 8 bytes (as large as the physical layer allows it to be).

When the receiver will assemble all IP fragments, it will end up with an IP packet which is larger than 65,535 bytes. This is likely to overflow memory buffers which the receiver allocated for the packet, and can cause various problems.

As is evident from the description above, the problem has nothing to do with ICMP. It is a problem in the reassembly process of IP fragments, which may contain any type of protocol (TCP, UDP, IGMP, etc).

The fix to the problem is to add checks in the reassembly process. The check for each incoming IP fragment makes sure that the sum of "Fragment Offset" and "Total length" fields in the IP header of each IP fragment is smaller than 65,535. If the sum is larger, then the packet is invalid, and the IP fragment is ignored.This check is performed by some Firewalls, to protect hosts which do not have the bug fixed.Another fix of the problem is using a memory buffer larger than 65,535 bytes for the re-assembly of the packet. (This is essentially a breaking of the specification, since it adds support for packets larger than those allowed.)

ee also

*Smurf attack
*Ping flood
*INVITE of Death

External links

* [http://insecure.org/sploits/ping-o-death.html Ping of death at Insecure.Org]


Wikimedia Foundation. 2010.

Игры ⚽ Нужна курсовая?

Look at other dictionaries:

  • Ping of Death — Ping de la mort Le ping de la mort (en anglais ping of death ou PoD) est une attaque historique de type déni de service réalisé par l envoi de paquet ping malformé. Un ping a normalement une taille de 56 octets (soit 84 octets avec l… …   Wikipédia en Français

  • Ping of death — Ping de la mort Le ping de la mort (en anglais ping of death ou PoD) est une attaque historique de type déni de service réalisé par l envoi de paquet ping malformé. Un ping a normalement une taille de 56 octets (soit 84 octets avec l… …   Wikipédia en Français

  • Ping of death — Ping of death  тип сетевой атаки, при которой компьютер жертва получает особым образом подделанный эхо запрос (ping), после которого он перестает отвечать на запросы вообще (DoS). Эта уязвимость была широко распространена в середине 1990 х… …   Википедия

  • Ping-of-death — Als Ping of Death bezeichnet man eine spezielle Denial of Service Attacke (DoS Attacke), mit dem Ziel, das angegriffene System zum Absturz zu bringen. Ein Ping of Death ist ein ICMP Paket, welches aufgrund eines Fehlers in der Implementierung des …   Deutsch Wikipedia

  • Ping of Death — Als Ping of Death bezeichnet man eine spezielle Denial of Service Attacke (DoS Attacke), mit dem Ziel, das angegriffene System zum Absturz zu bringen. Ein Ping of Death ist ein ICMP Paket, welches aufgrund eines Fehlers in der Implementierung des …   Deutsch Wikipedia

  • Ping Of Death — ● ►en loc. m. ►SECU Le ping de la mort . Envoyer un paquet ICMP d une taille non prévue (généralement trop élevée) à une machine. Si la chose n a pas été prévue par les concepteurs du système, le serveur risque fort de planter. Voir aussi ping (D …   Dictionnaire d'informatique francophone

  • ping of death —    A very large, specially constructed ICMP packet that violates the rules for packet size and content, designed to crash the receiving computer.    See also brute force attack; denial of service attack; dictionary attack …   Dictionary of networking

  • Ping — is a computer network tool used to test whether a particular host is reachable across an IP network; it is also used to self test the network interface card of the computer, or as a speed test. It works by sending ICMP “echo request” packets to… …   Wikipedia

  • Ping (Datenübertragung) — Ping ist ein Diagnose Werkzeug, mit dem überprüft werden kann, ob ein bestimmter Host in einem IP Netzwerk erreichbar ist. Daneben geben die meisten heutigen Implementierungen dieses Werkzeuges auch die Zeitspanne zwischen dem Aussenden eines… …   Deutsch Wikipedia

  • ping-флуд — (от англ. ping flood, дословно: наводнение (пакетами) ping) тип атаки на сетевое оборудование, ставящий своей целью отказ в обслуживании. Ключевой особенностью (по сравнению с остальными видами флуд атак) является возможность осуществления… …   Википедия

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”