What is a Ping Of Death?
It is one of very old attack vectors which is used for DoS attacks.
Originally, there was a bug found in the TCP/IP framework in mid 1990s and it affected many Operating Systems of that time. An attacker would use Ping of Death attack to crash, destabilize, or freeze computers or services by targeting them with oversized data packets. This form of DoS attack typically targets and exploits 'legacy' weaknesses that your organization may have patched.
As you know already that a correct IPv4 packet is made of 65,535-bytes, most legacy computers and devices were not able to handle any packets which were larger than 65,535-bytes. Because when a ping larger than this is sent, it violates the Internet Protocol (IPv4). Attackers would send you packets in the form of fragments and when your system(s) would attempt to reassemble those fragments, it would result in oversized packet. A buffer-overflow will occur, causing your system to crash or freeze or even reboot.
This vulnerability can still be exploited by any source or threat-actor that sends IP datagrams, which include an ICMP echo, the Internetwork Packet Exchange (IPX), Transmission Control Protocol (TCP), and User Datagram Protocol (UDP).
-
How does it all happen?
Whenever you want to ascertain if another computer is online or can you communicate with it, you send it a ping. Right?
I expect networking guys to know that this ping is sent via ICMP protocol.
You begin by sending a ping, and then target machine responds to your ping and a connection is established. A ping of death actually hijacks this process...
When the packet-size of a ping was designed in 1980s, its size was capped at 65,535-bytes, no one imagined of receiving larger packets. Over the years, it turned out to be a vulnerability.
That's why, during a ping of death, an attacker:
1. Chooses a victim
All that hacker needs is an IP address of target machine. They don’t need any detailed knowledge of the age of the machine or its operating system.
2. Fragments
Attackers would break large payloads into pieces, so that they can send them sequentially.
3. Releases
All of those bits of fragments then head to the victim-machine or system in a series of pings. When that system attempts to reassemble the information, the pings exceed the byte cap and the system crashes.
A larger number of original ping of death attacks were witnessed in 1990s and early years of 2000s. Developers responded by reworking the code. Soon, Ping of Death attacks stopped...
But then Ping of Death attacked staged a comeback in 2013. And all implementation of IPv6 were affected too as this also depended upon ICMP for pings, thus same vulnerability. Each and every instance of 'Internet Explorer' was vulnerable. That forced Microsoft to release at least 11-patches (out of total 19) for it on 13-August-2013 (in a single day).
Before you start thinking this is an old story, why bother now...I wish you to know that they came back to haunt.
In October of 2020, the ping of death returned. Microsoft once again had to respond with patches (13-August-2020) to help their consumers eliminate the risk and strengthen their security. Reporters also helped spread the word. Companies were warned worldwide that hackers could use this version of the ping to take over your computers and execute malicious code.
Anything that is connected to the internet, including your IoT devices like smart refrigerators, could still come under attack via this method.
2020 Ping of Death: Technical Details
The bug (CVE-2020-16898) was discovered in a Windows component called TCPIP.SYS, and as the filename suggests, this isn’t just any old program.
This Ping of Death vulnerability arose from an issue in how Microsoft’s tcpip.sys implemented the Recursive DNS Server (RDNSS) option in IPv6 router advertisement packets. This option was intended to provide a list of available recursive DNS servers.
The issue that created the Ping of Death vulnerability was that 'tcpip.sys' did not properly handle the possibility that the router advertisement packet contains more data than it should. Microsoft’s implementation actually trusted the length field in the packet and allocated memory accordingly on the stack.
Any unsafe copy of data into this allocated buffer created the potential for a buffer overflow attack. This enabled the attacker to overwrite other variables on the stack, including control flow information such as the program’s return address.
This instance of Buffer-Overflow can leave a potential for Remote Code Execution by the attacker. They could use return-oriented programming, as a result a buffer overflow exploit could cause a function to return to and execute attacker-provided shellcode.
At that time, this vulnerability was not publicly disclosed, meaning that (theoretically) no one knew about it previously and could develop an exploit.
Has this vulnerability been exploited in the wild after the patches were released?
There are no reports yet. But it does not mean that it cannot be exploited!
What you need to remember here is that--
Since TCPIP.SYS is a kernel driver, it means that if you trigger this bug, you are exploiting a vulnerability inside the kernel itself, which is the very core of any running Windows system. That’s why the system crashes with a BSoD rather than just shutting down one application with an error while leaving everything else running.
After all, shutting down the kernel means that there is no “anything else” to keep running, given that it’s the kernel that controls everything else.
-
What can you do to prevent Ping of Death?Some legacy devices and equipment can still be vulnerable to the ping of death if they have not been patched. Malicious content on any network, computers, and servers can cause damage to and crash a network.
You can protect yourself from the risk of ping of death attacks by avoiding the use of legacy equipment and ensuring that these devices and software are constantly updated. The ping of death can also be avoided by blocking fragmented pings and increasing memory buffers, which reduces the risk of memory overflows.
You can block ICMP Ping Messages using your NGFW. But this is not a practical approach because it affects performance and reliability and blocks legitimate pings. They also are not ideal — because invalid packet attacks can be launched through listening ports like File Transfer Protocol (FTP), etc.
Instead, using distributed denial-of-service (DDoS) protection services is a smarter approach to network security and protecting against ping of death attacks. Protection against DDoS attacks helps organizations block malformed packets before they can reach their target within your network, which prevents the risk of a ping of death occurring.
-
Kindly write 
your comments on the posts or topics, because when you do that you help me greatly in 
designing new quality article/post on cybersecurity.
your comments on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.You can also share with all of us if the information shared here helps you in some manner.
Life is small and make the most of it!
Also take care of yourself and your beloved ones…
With thanks,
Meena R.
_____
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM