Information Technology Reference
In-Depth Information
Ping of Death
A
ping of death
is a type of a security attack that is carried out on a target machine by
sending a malicious ping to a computer (
http://en.wikipedia.org/wiki/Ping_of_death
).
A ping is an Internet Control Management Protocol (ICMP) echo request. A correctly
formed ping message is 56 bytes in size (84 bytes when the IP header is included). Earlier
systems could not properly handle a ping packet larger than 65,535 bytes (64 KB).
Therefore, a ping packet larger than this limit could cause a system to crash.
According to RFC 791 (
www.ietf.org/rfc/rfc791.txt
), sending a packet larger than
65,535 bytes violates the IP regulations. However, such a packet can be sent if it is fragmented.
This would require the target machine to reassemble the packet, which can cause a buffer
overflow (a kind of memory overflow), which in turn can cause a system crash.
Here is how it works:
1.
When fragmentation is performed, each IP fragment carries information about the part
number of the original packet it contains.
This information is kept in the fragment offset field in the IP header.
2.
A single IP fragment is given an offset in 8 byte units.
A single IP fragment should not have more than 7 bytes of data.
3.
A malicious user sends an IP fragment with the maximum offset and with much more
data than 7 bytes, as large as the physical layer allows it to be.
This causes buffer overflow problems that can result in a system crash.
In order to correct this problem, checks are added to the reassembly process. The check
for each incoming IP fragment makes sure that the sum of fragment offset and total length
in the IP header of each fragment is smaller than 65,535 bytes. Any fragment having a sum
larger than this size is invalid and is therefore ignored. This check can be performed by
firewalls to protect internal network and machines. Another nonstandard fix is to break
the limit of the specification and use a memory buffer larger than 65,535 bytes.
Ping Flood
A
ping flood,
, or
denial of service (DoS)
attack, tries to overwhelm the victim with a large
number of repeated ping packets (
http://en.wikipedia.org/wiki/Ping_flood
). The most
effective way is to use the ping flood option that sends ICMP packets as fast as possible with-
out waiting for response messages. The ping flood attack is most successful if the attacker has
more bandwidth than the victim.
The attack is even more effective if the victim responds with ICMP echo reply packets that
would consume both outgoing bandwidth as well as incoming bandwidth on the victim's
network. Moreover, if the victim's system has a slower processor, chances are the ping flood
would consume enough CPU cycles to cause the target system to slow down considerably.
Alternatively, network administrators can use a ping flood to diagnose network packet
loss and throughput problems.
To prevent a ping flood, a firewall can be set in place to examine the IP address of the
attacker. The IP address can be blacklisted if any malicious activity is detected by the fire-
wall. (See the section “Firewalls” later in this chapter.)
Search WWH ::
Custom Search