Ping of Death Attack
Learn what a ping of death attack is and how to defend against it. We will also go over what ICMP is and the ping command.
Table of Contents 📖
What is a Ping?
Before we go over what a ping of death attack is, we should go over what a ping is. A ping is an ICMP echo-reply message commonly used to test a network connection.
INFO: ICMP, or internet control message protocol, is an internet layer protocol used by devices to communicate with each other.
ping -c 4 31.220.55.159
PING 31.220.55.159 (31.220.55.159): 56 data bytes
64 bytes from 31.220.55.159: icmp_seq=0 ttl=47 time=114.246 ms
64 bytes from 31.220.55.159: icmp_seq=1 ttl=47 time=118.267 ms
64 bytes from 31.220.55.159: icmp_seq=2 ttl=47 time=114.884 ms
64 bytes from 31.220.55.159: icmp_seq=3 ttl=47 time=113.687 ms
--- 31.220.55.159 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 113.687/115.271/118.267/1.781 ms
This command sends 4 ICMP packets to the address 31.220.55.159. We can see the ping is successful due to the replies from the address.
What is a Ping of Death Attack?
A ping of death attack (PoD) is a denial-of-service (DoS) attack where an attacker overwhelms a target machine by sending a packet larger than the maximum allowable size. This large packet makes the target machine unavailable, denying normal traffic to it. When we ran the ping command above, we can see how the size of the package was 56 bytes. We can set the size of the packet with the -s flag.
ping -c 4 -s 72 31.220.55.159
PING 31.220.55.159 (31.220.55.159): 72 data bytes
80 bytes from 31.220.55.159: icmp_seq=0 ttl=47 time=118.496 ms
80 bytes from 31.220.55.159: icmp_seq=1 ttl=47 time=118.918 ms
80 bytes from 31.220.55.159: icmp_seq=2 ttl=47 time=117.800 ms
80 bytes from 31.220.55.159: icmp_seq=3 ttl=47 time=115.476 ms
--- 31.220.55.159 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 115.476/117.672/118.918/1.330 ms
Above we send 4 packets, each 72 bytes in size. However, we can't just specify a packet of any size as there is a max size of 65507 bytes. If we try to set a packet size that is larger than 65507, we will get an error.
ping -c 4 -s 100000 31.220.55.159
ping: packet size too large: 100000 > 65507
Certain systems were not designed to handle packets larger than this maximum size. This makes them vulnerable to the ping of death attack.
How Ping of Death Works
The ping of death works by the malicious packet (very large packet) is fragmented into segments. Each of these segments is smaller than the maximum packet size. The target machine then puts the packet fragments together, leading to a packet that exceeds the maximum packet size.
Stopping the Attack
The ping of death attack has mostly died out nowadays as modern devices, by default, are protected against this attack. This means that legacy machines are most succeptible to this attack. However, here are some ways to protect against the attack:
- Add a check to the packet reassembly process to ensure size constraint isn't exceeded. Typically done by vendors for operating systems and network devices.
- Adjust the maxiumum transmission unit (MTU) of a network to reduce fragmentation.
- Block ICMP packets using a firewall.