Ping of Death (PoD): Protect Yourself Against an ICMP - Ping Flood Attack
Ping of Death (PoD)Ping of Death is a type of DoS attack in which an attacker attempts to crash, disrupt, or freeze the targeted computer or service by sending malformed or oversized packets using a simple ping command. PoD attacks exploit legacy weaknesses, which may have been patched in target systems. However, in an unpatched systems, the attack is still relevant and dangerous.Recently, a new type of PoD attack has become popular. This attack, commonly known as a Ping flood, the targeted system is hit with ICMP packets sent rapidly via ping without waiting for replies.The size of a correctly-formed IPv4 packet including the IP header is 65,535 bytes, including a total payload size of 84 bytes. Many historical computer systems simply couldn't handle larger packets, and would crash if they received one. This bug was easily exploited in early TCP/IP implementations in a wide range of operating systems including Windows, Mac, Unix and Linux, as well as network devices like printers and routers.Sending a ping packet larger than 65,535 bytes violates the Internet Protocol; attackers would generally send malformed packets in fragments. When the target system attempts to reassemble the fragments and ends up with an oversized packet, memory overflow could occur and lead to various system problems including crashes.Ping of Death attacks were particularly effective because the attacker’s identity could be easily spoofed. Moreover, a Ping of Death attacker would need no detailed knowledge of the machine he/she was attacking, except for its IP address.It's worth noting this vulnerability, though best recognized for its exploitation by PoD attacks, can actually be exploited by anything that sends an IP datagram - ICMP echo, TCP, UDP and IPX.To avoid Ping of Death attacks, and its variants, many sites block ICMP ping messages altogether at their firewalls. However, this approach is not viable in the long term. Invalid packet attacks can be directed at any listening port—like FTP ports—and you may not want to block all of these, for operational reasons.Moreover, by blocking ping messages, you prevent legitimate ping use. There are still utilities that rely on ping for checking that connections are live, for example. The smarter approach would be to selectively block fragmented pings, allowing actual ping traffic to pass through unhindered.