A Ping of Death (PoD) attack is a form of DDoS attack in which an attacker sends the recipient device simple ping requests as fragmented IP packets that are oversized or malformed. These packets do not adhere to the IP packet format when reassembled, leading to heap/memory errors and system crashes.
Internet Control Message Protocol (ICMP) ping requests are used to check for connectivity and the health of networking devices. In a legitimate ICMP ping, the recipient device replies to an ICMP echo request. The response indicates the health of the recipient. Sending a ping request with a header larger than 65,535 bytes violates the Internet Protocol.
How does a Ping of Death Attack work?
Once the ping request (with its fragmented IP packets) is reassembled by the recipient device, it may result in an IP request size exceeding 65,535 bytes which can lead to system crashes. The crashes are caused by heap/memory errors due to overflow of buffers allocated to reassemble the IP headers and body.
Although PoD is a legacy DDoS attack and ICMP flood attacks are more commonly used, PoD can still impact unpatched systems. Vulnerabilities to PoD have been uncovered as recently as 2018 in Apple devices which were using an unpatched XNU kernel. This resulted in heap overflows and made them susceptible to remote execution of code.
How can a Ping of Death attack be mitigated?
To mitigate PoD attacks, the TCP stack of the recipient must be patched so that it checks for the total size of IP packets and allocates enough buffer space for reassembly. Alternately, it may truncate the IP request to the maximum size of the allocated buffers. This stops the request from rewriting which could result in heap overflow. Another approach, since it is not practical to completely block all ping requests to protect from PoD attacks, is to only filter out fragmented ping requests and only process unfragmented ping requests.
Radware’s DDoS protection (DefensePro and Cloud DDoS Protection Service) and application delivery solutions mitigate PoD attacks by dropping malformed packets before they reach the targeted host computer. Large ICMP packets, such as in an ICMP ping of death attack, can be blocked using a deny filter combined with binary patterns used to filter non-zero IP offsets or “More-Fragment” bits sent in the IP flags.
Related articles
Additional Resources