Ping of Death
What Is a Ping of Death Attack?
The ping of death is a form of denial-of-service (DoS) attack that occurs when an attacker crashes, destabilizes, or freezes computers or services by targeting them with oversized data packets. This form of DoS attack typically targets and exploits legacy weaknesses that organizations may have patched.
Unpatched systems are also at risk from ping floods, which target systems by overloading them with Internet Control Message Protocol (ICMP) ping messages.
How Does the Ping of Death Work?
A correct Internet Protocol version 4 (IPv4) packet is formed of 65,535 bytes, and most legacy computers cannot handle larger packets. Sending a ping larger than this violates the IP, so attackers send packets in fragments which, when the targeted system attempts to reassemble, results in an oversized packet that can cause the system to crash, freeze, or reboot.
The vulnerability can be exploited by any source that sends IP datagrams, which include an ICMP echo, the Internetwork Packet Exchange (IPX), Transmission Control Protocol (TCP), and User Datagram Protocol (UDP).
The Ping Command
Computers use an ICMP echo-reply message system, which is known as a "ping," to test network connections. The system, in essence, acts as a sonar between devices. It sends a pulse, which emits an echo to provide an operator with information about the network environment. When the connection works as intended, source machines receive a reply from target machines, which is frequently used by engineers. Ping commands are limited to a maximum size of 65,535 bytes.
Changing Ping Into a Ping of Death Command
Attackers use ping commands to develop a ping of death command. They can write a simple loop that allows them to execute the ping command with packet sizes that exceed the 65,535-byte maximum level when the target machine attempts to put the fragments back together.
Exploiting the Vulnerability
Sending packets that are larger than 65,535 bytes violates the rules of IP. To avoid this, attackers will send packets in fragments that their target system then attempts to piece together. When it does, the oversized packet will cause a memory overflow.
Does the Ping of Death Still Work?
The ping of death is an old attack vector that originally appeared in the mid-1990s, which caused target systems to crash or freeze. Since 1998, most computers and devices have been protected against these types of attacks. Furthermore, many websites still block ICMP ping messages to prevent future variations of this DoS attack.
However, an organization can still be vulnerable to the threat in these situations:
1. Vulnerable Legacy Equipment
Some legacy devices and equipment can still be vulnerable to the ping of death if they have not been patched. Malicious content on any network, computers, and servers can cause damage to and crash a network.
2. Recent Ping of Death Attacks
Ping of death attacks made a return in August 2013, when they caused a threat to Internet Protocol version 6 (IPv6) networks. The resurgence of the attack vector exploited a weakness in OpenType fonts in the soon-to-be discontinued Windows XP and Windows Server 2013 operating systems. The attack exploited a flaw in the IPv6 implementation of ICMP by sending huge ping requests that crashed the target computer when it reassembled the packets. The risk could easily be avoided by disabling IPv6.
In October 2020, a flaw was discovered in the Windows component TCPIP.sys, which is a kernel driver that would reach the core of any Windows system if exploited. If an attacker is able to exploit the flaw, the result is a hard crash and total shutdown of the computer followed by a reboot. However, it was difficult for attackers to exploit and relied on users patching their devices to avoid the risk.
These examples show that ping of death attacks can still occur, and organizations need to protect themselves against them.
How To Protect My Organization from the Ping of Death?
Organizations can protect themselves from the risk of ping of death attacks by avoiding the use of legacy equipment and ensuring their devices and software are constantly updated. The ping of death can also be avoided by blocking fragmented pings and increasing memory buffers, which reduces the risk of memory overflows.
Block ICMP Ping Messages
Most networks operate firewalls that allow organizations to block ICMP ping messages. This will enable them to block ping of death attacks but is not a practical approach because it affects performance and reliability and blocks legitimate pings. They also are not ideal—invalid packet attacks can be launched through listening ports like File Transfer Protocol (FTP).
Use DDoS Protection Services
Using distributed denial-of-service (DDoS) protection services is a smarter approach to network security and protecting against ping of death attacks. Protection against DDoS attacks helps organizations block malformed packets before they can reach their target, which prevents the risk of a ping of death occurring.
How Fortinet Can Help
Fortinet helps organizations protect their infrastructure against DDoS attacks and prevent ping of death attacks with FortiDDoS. FortiDDoS is a dynamic and multi-layered solution that safeguards organizations from known and zero-day attacks. It is easy to deploy, offers a ping of death tutorial, an intrusion detection system (IDS), comprehensive analysis and reporting, and behavior-based DDoS protection that removes the need for signature files.
FortiDDoS provides defense against all forms of DDoS attacks, such as Layer 7 application, Secure Sockets Layer/Hypertext Transfer Protocol Secure (SSL/HTTPS), and bulk volumetric attacks.
What is a ping of death attack?
A ping of death attack is a type of denial-of-service (DoS) attack. It occurs when attackers overload a computer, service, or system with oversized data packets and Internet Control Message Protocol (ICMP) ping messages.
Does the ping of death still work?
Modern computers are protected against ping of death attacks and have been since the late 1990s. However, there are still examples of vulnerabilities that can be exploited by using the ping of death approach.
How do I protect my organization from the ping of death?
You can protect your organization from the ping of death by keeping computers and systems patched and updated and avoiding the use of legacy equipment. You can also block ICMP ping messages and use distributed denial-of-service (DDoS) protection services.