Ping of Death

What is a Ping of Death attack?

A Ping of Death (PoD) attack is a specific type of denial-of-service (DoS) attack where the attacker seeks to disrupt a targeted system by transmitting a packet exceeding the maximum allowable size. This oversize packet can cause the recipient system to freeze or crash. Although the original PoD attacks are less common now, its relative — ICMP flood attack — has become more prevalent.

How does the Ping of Death attack work

An ICMP (Internet Control Message Protocol) echo-reply message, otherwise known as a “ping”, serves as a digital echo-location tool. It tests the health of a network connection by sending out a “pulse” and interpreting the returned “echo”. When a ‘ping’ is successful, the originating device gets a reply from its target.

In the context of IPv4 ping packets, they have the capacity to be as large as the maximum permissible packet size of 65,535 bytes. Some TCP/IP systems, however, were not engineered to manage packets of such proportions, rendering them susceptible to oversized packets.

In a PoD attack, an exceptionally large packet is sent from the attacker to the victim. This oversized packet, fragmented into manageable segments, converges on the target. As the recipient system attempts to reassemble these fragments, the overall size surpasses the limit, potentially leading to a buffer overflow event. This can cause the system to freeze, crash, or reboot.

While ICMP echo is a common method, any IP datagram transmission — including TCP, UDP, and IPX — can be exploited for such attacks.

How to prevent a PoD attack

Preventing PoD attacks can be facilitated by introducing checks during the reassembly process to ensure that the total packet size doesn’t exceed the limit post-recombination. In addition, setting up a memory buffer with sufficient space to handle oversized packets offers another layer of protection.

The original PoD attack is virtually extinct; post-1998 devices typically have built-in defenses against it. Nonetheless, some outdated equipment could remain vulnerable. More recently, a new form of PoD attack was discovered exploiting IPv6 packets on Microsoft Windows, which received a patch in 2013. Services like the Sucuri firewall can help prevent Ping of Death attacks by filtering out malformed packets before they reach the intended target website or server.