Which of the following best describes the Ping of Death exploit?

A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users. DoS attacks accomplish this by flooding the target with traffic, or sending it information that triggers a crash. In both instances, the DoS attack deprives legitimate users (i.e. employees, members, or account holders) of the service or resource they expected.

Victims of DoS attacks often target web servers of high-profile organizations such as banking, commerce, and media companies, or government and trade organizations. Though DoS attacks do not typically result in the theft or loss of significant information or other assets, they can cost the victim a great deal of time and money to handle.

There are two general methods of DoS attacks: flooding services or crashing services. Flood attacks occur when the system receives too much traffic for the server to buffer, causing them to slow down and eventually stop. Popular flood attacks include:

• Buffer overflow attacks – the most common DoS attack. The concept is to send more traffic to a network address than the programmers have built the system to handle. It includes the attacks listed below, in addition to others that are designed to exploit bugs specific to certain applications or networks
• ICMP flood – leverages misconfigured network devices by sending spoofed packets that ping every computer on the targeted network, instead of just one specific machine. The network is then triggered to amplify the traffic. This attack is also known as the smurf attack or ping of death.
• SYN flood – sends a request to connect to a server, but never completes the handshake. Continues until all open ports are saturated with requests and none are available for legitimate users to connect to.

Other DoS attacks simply exploit vulnerabilities that cause the target system or service to crash. In these attacks, input is sent that takes advantage of bugs in the target that subsequently crash or severely destabilize the system, so that it can’t be accessed or used.

An additional type of DoS attack is the Distributed Denial of Service (DDoS) attack. A DDoS attack occurs when multiple systems orchestrate a synchronized DoS attack to a single target. The essential difference is that instead of being attacked from one location, the target is attacked from many locations at once. The distribution of hosts that defines a DDoS provide the attacker multiple advantages:

• He can leverage the greater volume of machine to execute a seriously disruptive attack
• The location of the attack is difficult to detect due to the random distribution of attacking systems (often worldwide)
• It is more difficult to shut down multiple machines than one
• The true attacking party is very difficult to identify, as they are disguised behind many (mostly compromised) systems

Modern security technologies have developed mechanisms to defend against most forms of DoS attacks, but due to the unique characteristics of DDoS, it is still regarded as an elevated threat and is of higher concern to organizations that fear being targeted by such an attack.

Attack on a computer system by pinging a computer

A ping of death is a type of attack on a computer system that involves sending a malformed or otherwise malicious ping to a computer.[1]

A correctly formed ping packet is typically 56 bytes in size, or 64 bytes when the Internet Control Message Protocol (ICMP) header is considered, and 84 bytes including Internet Protocol (IP) version 4 header. However, any IPv4 packet (including pings) may be as large as 65,535 bytes. Some computer systems were never designed to properly handle a ping packet larger than the maximum packet size because it violates the Internet Protocol.[2][3] Like other large but well-formed packets, a ping of death is fragmented into groups of 8 octets before transmission. However, when the target computer reassembles the malformed packet, a buffer overflow can occur, causing a system crash and potentially allowing the injection of malicious code.

In early implementations of TCP/IP, this bug is easy to exploit and can affect a wide variety of systems including Unix, Linux, Mac, Windows, and peripheral devices. As systems began filtering out pings of death through firewalls and other detection methods, a different kind of ping attack known as ping flooding later appeared, which floods the victim with so many ping requests that normal traffic fails to reach the system (a basic denial-of-service attack).

Detailed information

The maximum packet length of an IPv4 packet including the IP header is 65,535 (216 − 1) bytes,[2] a limitation presented by the use of a 16-bit wide IP header field that describes the total packet length.

The underlying Data Link Layer almost always poses limits to the maximum frame size (See MTU). In Ethernet, this is typically 1500 bytes. In such a case, a large IP packet is split across multiple IP packets (also known as IP fragments), so that each IP fragment will match the imposed limit. The receiver of the IP fragments will reassemble them into the complete IP packet and continue processing it as usual.

When fragmentation is performed, each IP fragment needs to carry information about which part of the original IP packet it contains. This information is kept in the Fragment Offset field, in the IP header. The field is 13 bits long, and contains the offset of the data in the current IP fragment, in the original IP packet. The offset is given in units of 8 bytes. This allows a maximum offset of 65,528 ((213-1)*8). Then when adding 20 bytes of IP header, the maximum will be 65,548 bytes, which exceeds the maximum frame size. This means that an IP fragment with the maximum offset should have data no larger than 7 bytes, or else it would exceed the limit of the maximum packet length. A malicious user can send an IP fragment with the maximum offset and with much more data than 8 bytes (as large as the physical layer allows it to be).

When the receiver assembles all IP fragments, it will end up with an IP packet which is larger than 65,535 bytes. This may possibly overflow memory buffers which the receiver allocated for the packet, and can cause various problems.

As is evident from the description above, the problem has nothing to do with ICMP, which is used only as payload, big enough to exploit the problem. It is a problem in the reassembly process of IP fragments, which may contain any type of protocol (TCP, UDP, IGMP, etc.).

The correction of the problem is to add checks in the reassembly process. The check for each incoming IP fragment makes sure that the sum of "Fragment Offset" and "Total length" fields in the IP header of each IP fragment is smaller or equal to 65,535. If the sum is greater, then the packet is invalid, and the IP fragment is ignored. This check is performed by some firewalls, to protect hosts that do not have the bug fixed. Another fix for the problem is using a memory buffer larger than 65,535 bytes for the re-assembly of the packet. (This is essentially a breaking of the specification, since it adds support for packets larger than those allowed.)

Ping of death in IPv6

In 2013, an IPv6 version of the ping of death vulnerability was discovered in Microsoft Windows. Windows TCP/IP stack did not handle memory allocation correctly when processing incoming malformed ICMPv6 packets, which could cause remote denial of service. This vulnerability was fixed in MS13-065 in August 2013.[4][5] The CVE-ID for this vulnerability is CVE-2013-3183.[6] In 2020, another bug (CVE-2020-16898) in ICMPv6 was found around Router Advertisement, which could even lead to remote code execution.[7]

See also

• INVITE of Death
• LAND
• Ping flood
• ReDoS
• Smurf attack

References

1. ^ Abdollahi, Asrin; Fathi, Mohammad (2020-01-23). "An Intrusion Detection System on Ping of Death Attacks in IoT Networks". Wireless Personal Communications. 112 (4): 2057–2070. doi:10.1007/s11277-020-07139-y. ISSN 0929-6212. S2CID 213121777.
2. ^ a b J. Postel, ed. (September 1981). INTERNET PROTOCOL - DARPA INTERNET PROGRAM PROTOCOL SPECIFICATION. IETF. doi:10.17487/RFC0791. STD 5. RFC 791. IEN 128, 123, 111, 80, 54, 44, 41, 28, 26. Internet Standard. Obsoletes RFC 760. Updated by RFC 1349, 2474 and 6864.
3. ^ Erickson, Jon (2008). HACKING the art of exploitation (2nd ed.). San Francisco: NoStarch Press. p. 256. ISBN 978-1-59327-144-2.
4. ^ "Microsoft Security Bulletin MS13-065 - Important". Microsoft. August 13, 2013. Retrieved February 25, 2017.
5. ^ Jackson, Joab (Aug 13, 2013). "Microsoft Patch Tuesday: The Ping of Death returns, IPv6-style". Retrieved February 25, 2017.
6. ^ "CVE - CVE-2013-3183". The MITRE Corporation. Retrieved February 25, 2017.
7. ^ "CVE-2020-16898 - Windows TCP/IP Remote Code Execution Vulnerability". Microsoft. October 13, 2020. Retrieved October 14, 2020.

External links

• The Ping o' Death Page at the Wayback Machine (archived December 6, 1998)
• Ping of death at Insecure.Org

Retrieved from "https://en.wikipedia.org/w/index.php?title=Ping_of_death&oldid=1113879093"