Ping of Death

The Ping of Death is an attack that exploits errors in the re-assembly of fragmented packets. This works as follows:

The IP header contains the fragment-offset field, which identifies where the received fragment is inserted into the assembled IP packet. This field is 13 bits long and specifies the point of insertion in 8-byte increments. The point of insertion can thus take on a value between 0 and 65528 bytes. With an MTU on the Ethernet of 1500 bytes, an IP packet can be generated with a potential size of up to 65528 + 1500 - 20 = 67008 bytes. This, however, would provoke internal counter overflows or even buffer overflows, which can give attackers a potential way to execute their own code on the victim computer.

The firewall provides two options here: Either the firewall re-assembles the entire incoming packet and checks its integrity, or else the fragment that exceeds the maximum packet size is discarded. In the first case, the firewall itself can become a victim of a faulty implementation. In the second case, the victim keeps collecting partially re-assembled packets and, since these are only discarded after a certain time, this could result in a new Denial-of-Service attack if the victim runs out of memory.

www.lancom-systems.com

LANCOM Systems GmbH | A Rohde & Schwarz Company | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E‑Mail info@lancom.de

LANCOM Logo