Networking / Beginners

Ping of Death

The ping-of-death attack, with its melodramatic name, is an example of how simple it can be to launch a denial-of-service attack once a vulnerability has been discovered. Those who originally discover a vulnerability deserve credit, but it takes no great skill or intelligence to exploit it.

To better understand how the ping of death worked or works we need to once again review some TCP/IP basics. The ping of death exploited a flaw in many vendors' implementations of ICMP. ICMP is part of the IP of TCP/IP and operates at the Internet layer using the IP datagram to deliver messages; ping is a TCP/IP command that simply sends out an IP packet to a specified IP address or host name to see if there is a response from the address or host. It is often used to determine if a host is on the network or alive. The typical ping command syntax would be

  • ping 150.24.35.46
  • or
  • ping www.acme.net

Many operating systems were or are vulnerable to larger-than-normal ICMP packets. As a result, specifying a large packet in a ping command can cause an overflow in some systems' internals that can result in system crashes. The command syntax would vary depending on the operating system you were using. Below are two examples, one for Windows and the other for Sun Solaris.

  • Windows: ping-165527-s 1 hostname
  • Solaris: ping -s hostname 65527

Normally it requires a flood of pings to crash a system. Moreover, from firsthand experience I have found that you are just as likely to crash the system from which you are launching the attack as you are to crash the system you are targeting. Nevertheless, the ping-of-death approach may still constitute an effective denial-of-service attack. Once this vulnerability was discovered, most vendors issued operating system patches to eliminate the problem.

[Previous] [Contents] [Next]