Hubbry Logo
Ping of deathPing of deathMain
Open search
Ping of death
Community hub
Ping of death
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Ping of death
Ping of death
Ping of death
View on Wikipedia
from Wikipedia

A ping of death is a type of cyberattack on a computer system that involves sending a malformed or otherwise malicious ICMP echo request, a message normally associated with the ping utility, to a computer.[1] In this attack, a host sends hundreds of ICMP echo requests with a packet size that is large or illegal to try to take the receiving host offline or to keep it preoccupied responding with replies.[2]

A correctly formed ICMP echo request is typically 56 bytes in size, or 64 bytes when the Internet Control Message Protocol (ICMP) header is considered, and 84 bytes including Internet Protocol (IP) version 4 header. However, any IPv4 packet may be as large as 65,535 bytes. Some computer systems were never designed to properly handle an ICMP echo request packet larger than the maximum packet size because it violates the Internet Protocol.[3][4] Like other large but well-formed packets, a ping of death is fragmented into groups of 8 octets before transmission. However, when the target computer reassembles the malformed packet, a buffer overflow can occur, causing a system crash and potentially allowing the injection of malicious code.

In early implementations of TCP/IP, this bug is easy to exploit and can affect a wide variety of systems, including Unix, Linux, Mac, Windows, and peripheral devices. As systems began filtering out pings of death through firewalls and other detection methods, a different kind of ping attack known as ping flooding later appeared, which floods the victim with so many ping requests that normal traffic fails to reach the system (a basic denial-of-service attack).

The ping of death attack has been largely neutralized by advancements in technology. Devices produced after 1998 include defenses against such attacks,[specify] rendering them resilient to this specific threat. However, in a notable development, a variant targeting IPv6 packets on Windows systems was identified, leading Microsoft to release a patch in mid-2013.[5]

Detailed information

[edit]

The maximum packet length of an IPv4 packet including the IP header is 65,535 (216 − 1) bytes,[3] a limitation presented by the use of a 16-bit wide IP header field that describes the total packet length.

The underlying data link layer almost always poses limits to the maximum frame size (see MTU). In Ethernet, this is typically 1500 bytes. In such a case, a large IP packet is split across multiple IP packets (also known as IP fragments), so that each IP fragment will match the imposed limit. The receiver of the IP fragments will reassemble them into the complete IP packet and continue processing it as usual.

When fragmentation is performed, each IP fragment needs to carry information about which part of the original IP packet it contains. This information is kept in the Fragment Offset field, in the IP header. The field is 13 bits long, and contains the offset of the data in the current IP fragment, in the original IP packet. The offset is given in units of 8 bytes. This allows a maximum offset of 65,528 ((213 − 1) × 8). Then when adding 20 bytes of IP header, the maximum will be 65,548 bytes, which exceeds the maximum frame size. This means that an IP fragment with the maximum offset should have data no larger than 7 bytes, or else it would exceed the limit of the maximum packet length. A malicious user can send an IP fragment with the maximum offset and with much more data than 8 bytes (as large as the physical layer allows it to be).

When the receiver assembles all IP fragments, it will end up with an IP packet which is larger than 65,535 bytes. This may possibly overflow memory buffers that the receiver allocated for the packet, and can cause various problems.

As is evident from the description above, the problem has nothing to do with ICMP, which is used only as payload, big enough to exploit the problem. It is a problem in the reassembly process of IP fragments, which may contain any type of protocol (TCP, UDP, IGMP, etc.).

The correction of the problem is to add checks in the reassembly process. The check for each incoming IP fragment makes sure that the sum of "Fragment Offset" and "Total length" fields in the IP header of each IP fragment is smaller or equal to 65,535. If the sum is greater, then the packet is invalid, and the IP fragment is ignored. This check is performed by some firewalls, to protect hosts that do not have the bug fixed. Another fix for the problem is using a memory buffer larger than 65,535 bytes for the re-assembly of the packet. (This is essentially a breaking of the specification, since it adds support for packets larger than those allowed.)

Ping of death in IPv6

[edit]

In 2013, an IPv6 version of the ping of death vulnerability was discovered in Microsoft Windows. Windows TCP/IP stack did not handle memory allocation correctly when processing incoming malformed ICMPv6 packets, which could cause remote denial of service. This vulnerability was fixed in MS13-065 in August 2013.[6][7] The CVE-ID for this vulnerability is CVE-2013-3183.[8] In 2020, another bug (CVE-2020-16898) in ICMPv6 was found around Router Advertisement, which could even lead to remote code execution.[9]

See also

[edit]

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Ping of death

View on Grokipedia
from Grokipedia
The Ping of Death is a denial-of-service (DoS) attack that involves sending oversized or malformed (ICMP) Echo Request packets—commonly known as ping packets—to a target system, exceeding the (IP) maximum packet size of 65,535 bytes, which causes buffer overflows during reassembly and results in system crashes, freezes, or reboots. These packets are typically fragmented to evade detection during transmission, exploiting weaknesses in how operating systems and network stacks process ICMP traffic. First publicly documented in and widely reported that year, the attack gained notoriety as one of the earliest well-known DoS vulnerabilities affecting internet-connected devices, with the (CERT) issuing advisory CA-1996-26 on December 16, 1996, to alert administrators after reports of systems failing under ping bombardment. It emerged during the rapid expansion of the early internet, when many implementations of the TCP/IP stack in operating systems like , various Unix variants, and network hardware such as routers and printers lacked robust validation for packet sizes. In operation, an attacker crafts an ICMP packet larger than the IP limit by fragmenting it into smaller pieces, each with overlapping or incorrect offsets, forcing the target to allocate excessive memory during reassembly; this overwhelms the buffer, triggering instability in the kernel or without requiring or privileged access. Tools like raw socket implementations in programming languages (e.g., or ) enable rapid generation of such packets, and in distributed variants, multiple compromised hosts amplify the effect into a DDoS assault. The attack targets the network layer (Layer 3 of the ), making it simple to execute from remote locations using standard tools like the ping utility modified with oversized buffer options, such as "ping -l 65510" on vulnerable Windows systems. Primarily impacting older systems from the mid-1990s, the Ping of Death caused widespread disruptions, including server downtime and network outages, but and devices have largely mitigated it through stricter checks, packet size limits, and firewall rules that drop anomalous ICMP traffic. Affected platforms included early versions of Microsoft Windows, kernels prior to 2.0.0, Solaris, and routers, though patches were quickly released by vendors following CERT's guidance. Today, while rare due to built-in defenses in contemporary TCP/IP stacks and intrusion detection systems that filter oversized fragments, the Ping of Death remains a conceptual benchmark for understanding protocol vulnerabilities and is occasionally referenced in educational contexts or analyses; effective mitigations include disabling unnecessary ICMP responses, implementing on ping requests, and using network intrusion prevention systems () to inspect and block malformed packets.

Background

ICMP and Ping Protocol

The Internet Control Message Protocol (ICMP) is a supporting protocol integral to the Internet Protocol (IP), designed primarily for error reporting, diagnostics, and control functions within IP networks. As specified in RFC 792, ICMP operates at the network layer alongside IP and is implemented by every IP module to provide feedback on communication problems, such as unreachable destinations or routing issues, without ensuring message delivery reliability. In IPv4 environments, ICMP messages are encapsulated within IP datagrams, using the IP header to route them, and serve as a mechanism for hosts and gateways to exchange diagnostic information. A key application of ICMP is the ping utility, which utilizes ICMP Echo Request messages (type 8, code 0) to test network reachability and measure round-trip time (RTT) between devices. When a host sends an Echo Request, the target device responds with an Echo Reply message (type 0, code 0), echoing back the original data payload to confirm connectivity. This exchange allows network administrators to verify if a remote host is operational and to assess latency, with the RTT calculated as the time from sending the request to receiving the reply. Identifiers and sequence numbers in the messages help match replies to specific requests, especially in scenarios with multiple concurrent pings. The standard structure of an ICMP message consists of an 8-byte header followed by optional data. The header includes a 1-byte Type field (e.g., 8 for Echo Request), a 1-byte Code field (typically 0 for echo messages), and a 2-byte Checksum for error detection, computed using one's complement sum over the header and data. The remaining 4 bytes in the header for echo messages contain an Identifier and Sequence Number, while the optional data payload—often arbitrary bytes for testing—mirrors the request in the reply. Encapsulated in an IPv4 datagram, ICMP messages adhere to the protocol's maximum size limit of 65,535 bytes, though typical ping packets are much smaller, such as 64 bytes including headers, to facilitate quick diagnostics. In network troubleshooting, ping and other ICMP messages enable systematic diagnostics, such as detecting host availability, tracing path issues via combined tools like (which uses ICMP Time Exceeded messages), or reporting congestion through Source Quench messages. These functions support efficient IP network in IPv4 deployments, where ICMP provides essential visibility without altering the core delivery process. , a related IP mechanism, handles oversized by splitting them for transmission, ensuring compatibility with ICMP's diagnostic role.

IP Fragmentation Basics

In IPv4, the maximum transmission unit (MTU) defines the largest packet size that can be transmitted over a network link without fragmentation, with Ethernet networks typically supporting an MTU of 1,500 bytes. When an originating host needs to send a datagram larger than the MTU of an intermediate link, the router or host fragments it into smaller pieces to ensure transmission across diverse network segments. This process allows IPv4 to handle variable-sized datagrams efficiently in heterogeneous environments, such as when ICMP echo packets exceed the path MTU. Key fields in the IPv4 header facilitate fragmentation and reassembly: the Identification field (16 bits) assigns a unique value to match all fragments of the same ; the Fragment Offset field (13 bits) specifies the position of the fragment in the original , measured in 8-byte units; and the More Fragments (MF) flag (1 bit) indicates whether additional fragments follow, with MF set to 0 in the last fragment. These fields enable routers to split and destinations to reconstruct them accurately. The total length of the reassembled cannot exceed 65,535 bytes, as defined by the 16-bit Total Length field in the . At the destination host, reassembly involves collecting all fragments with matching Identification values, ordering them by Fragment Offset, and combining their data payloads while verifying the MF flags and total length. If reassembly fails—such as due to a missing fragment—the entire datagram is discarded, and an ICMP Time Exceeded message (type 11, code 1) may be sent to the source. For cases where fragmentation is required but the Don't Fragment (DF) bit is set in the original datagram, intermediate routers discard the packet and return an ICMP Destination Unreachable message with code 4 (Fragmentation Needed and DF Set), including the MTU of the restricting link to aid .

Attack Mechanism

Packet Construction and Transmission

In the IPv4 ping of death attack, the attacker begins by constructing an ICMP echo request packet designed to exceed the protocol's maximum allowable size of 65,535 bytes for the total IP , often setting the to 65,536 bytes or more to induce an overflow upon reassembly. This oversized packet includes the standard ICMP echo request structure, consisting of a type field set to 8 (echo request), a field of 0, a , an identifier, a sequence number, and the oversized data . To generate such packets, attackers employ specialized tools like hping, a command-line packet generator capable of crafting custom ICMP packets with arbitrary data sizes, or custom scripts that specify large payload lengths beyond typical ping utilities' defaults. These tools allow the attacker to bypass local (MTU) limits—typically 1,500 bytes for Ethernet—by instructing the sending system's IP stack to create the oversized packet, which is then automatically fragmented before transmission. During transmission, the source system's IP stack or an intervening router fragments the oversized packet into smaller segments compliant with the network's MTU, ensuring that the sum of the data portions across all fragments exceeds the -byte IP maximum while each individual fragment remains valid. For instance, the IP headers of these fragments share an identical identification field to associate them as parts of the same original packet; a common configuration includes an initial fragment with offset 0 and subsequent fragments with progressively higher offsets, such as a final fragment at offset 65,528 bytes (maximum fragment offset value) carrying more than 7 bytes of data, resulting in an indicated total reassembled size exceeding bytes. The fragments are then transmitted to the target via standard protocols, potentially arriving out of order, with duplicates, or incompletely due to network conditions, all while maintaining the malicious intent encoded in their collective size.

Reassembly and Overflow Exploitation

When a target system receives the fragmented IP packets comprising an oversized ICMP Echo Request, its IP stack initiates the reassembly process to reconstruct the original . The stack allocates a reassembly buffer whose size is determined by summing the lengths of the incoming fragments and accounting for their offset positions, without initially validating the total against the IPv4 protocol's 65,535-byte limit. This allocation can lead to a if the crafted fragments indicate a total reconstructed packet size exceeding the allocated buffer's capacity or the protocol's bounds, as the data from overlapping or extended fragments is copied into contiguous kernel memory. In vulnerable implementations, such as certain early versions of Windows and operating systems, this results in memory corruption beyond the buffer's end, potentially overwriting adjacent data structures in the kernel space. The overflow typically triggers unhandled exceptions, causing effects like system crashes, freezes, or complete denial of service; for instance, in systems, it may induce a that halts the kernel's operation, rendering the machine unresponsive until . These disruptions stem from the failure to contain the excessive within safe boundaries during the finalization of reassembly. The arises because early IP stack implementations omitted rigorous bounds checking on the aggregate reassembly size, assuming fragments would conform to protocol specifications without verifying the total against the 65,535-byte limit prior to buffer population. This oversight allowed malformed inputs to evade detection until the overflow manifested during handling. The following pseudocode illustrates a simplified vulnerable reassembly routine in an affected IP stack:

initialize buffer[65536]; // Fixed-size buffer assuming max IP size total_size = 0; for each incoming_fragment { offset = fragment.offset; length = fragment.length; total_size += length; // Accumulate without bounds check copy fragment.data to buffer[offset]; // Overwrite if overlapping } if (total_size > 0) { // No check for total_size > 65535 process_reassembled_packet(buffer, total_size); // Overflow if total_size > buffer capacity }

initialize buffer[65536]; // Fixed-size buffer assuming max IP size total_size = 0; for each incoming_fragment { offset = fragment.offset; length = fragment.length; total_size += length; // Accumulate without bounds check copy fragment.data to buffer[offset]; // Overwrite if overlapping } if (total_size > 0) { // No check for total_size > 65535 process_reassembled_packet(buffer, total_size); // Overflow if total_size > buffer capacity }

This example highlights the absence of a pre-allocation validation step, such as if (total_size > [65535](/page/65,535)) discard_fragments();, which was missing in susceptible systems.

History and Impact

Discovery and Early Incidents

The Ping of Death vulnerability was first publicly documented in October 1996, when security researcher Kenney launched a dedicated webpage detailing the exploit, which involved sending oversized IP packets via the ping utility to cause remote crashes. This proof-of-concept demonstrated that fragmented ICMP echo request packets exceeding the maximum IP packet size of bytes could trigger buffer overflows during reassembly, leading to denial-of-service effects. Early testing revealed the issue affected a wide range of systems, with successful crashes observed over long distances, such as from , to , . Widespread awareness grew through security communities in late 1996, with discussions on mailing lists like Bugtraq reporting vulnerabilities exploitable via ping as early as October 21, 1996. The community responded rapidly, releasing a kernel patch within approximately two and a half hours of the initial report. Initial incidents targeted early hosts, including university networks, causing temporary outages, system freezes, and reboots on vulnerable machines running Unix variants and other operating systems. The formalized the threat in Advisory CA-1996-26, issued on December 18, 1996, warning of denial-of-service attacks via oversized ping datagrams that could crash, freeze, or reboot affected systems. The advisory highlighted reports from multiple vendors, including Digital, , and , confirming impacts on Windows, Macintosh, and Unix platforms. Media coverage in publications, such as magazine's discussions of denial-of-service techniques, and ARPANET-related security forums further amplified the issue by late 1996. Vendors began issuing patches shortly after, with widespread fixes available by early 1997, marking the transition from discovery to mitigation.

Affected Systems and Vulnerabilities

The ping of death stems from a lack of proper checks on the size of reassembled IP packets in many TCP/IP stack implementations, allowing oversized fragmented ICMP echo request packets to exceed the maximum IP datagram size of 65,535 bytes and trigger buffer overflows during reassembly. This flaw enabled denial-of-service (DoS) conditions by causing systems to crash, freeze, or reboot unpredictably when processing the malicious packets. Among operating systems, early Microsoft Windows versions such as Windows 95 and Windows NT were highly susceptible, often resulting in hard locks or kernel panics upon packet reassembly due to inadequate buffer size validation in their IP stacks. Unix variants exhibited similar issues; for instance, Sun Microsystems' Solaris 2.5 (and earlier releases like 2.3 to 2.4) would panic during reassembly attempts, halting the kernel and requiring manual reboots. Early Linux kernels in the 2.0.x series were also vulnerable, leading to system crashes from the same overflow exploitation, though later kernels implemented fixes to discard oversized fragments. Other impacted Unix systems included Digital UNIX 3.0/3.2/4.0, ULTRIX 4.3-4.5, IBM AIX 3.2/4.1/4.2, and SCO OpenServer 5.0.0/5.0.2, where failure modes typically involved kernel panics or resource exhaustion. Network devices faced comparable risks from deficient fragment processing logic. Cisco routers running IOS versions 10.x and earlier could crash when attempting to reassemble oversized IP fragments, disrupting tables and forwarding operations across connected networks. Early firewalls, including IBM's Secured Network Gateway (SNG) V2.1/V2.2, would similarly fail during fragment handling, resulting in service denial and potential exposure of protected segments to further attacks. In 1996, this vulnerability posed widespread DoS risks to the burgeoning , impacting a vast array of connected hosts and devices as reported by the , with exploits rapidly circulating and necessitating urgent vendor patches across the ecosystem. Systems that enforced strict (MTU) limits or discarded invalid fragments were less prone; for example, post-patched (BSD) variants, such as BSD/OS 2.1, incorporated reassembly safeguards that prevented exploitation.

Mitigation Strategies

Software Patches and Updates

released specific patches for the ping of death vulnerability in late 1996, addressing affected systems including and . These updates introduced reassembly bounds checks in the IP stack to prevent buffer overflows from malformed oversized packets, ensuring that fragmented ICMP echoes exceeding the 65,535-byte limit were discarded before processing. For , the patch was issued as a shortly after the vulnerability's public disclosure, while received a similar update integrated into subsequent releases like OSR2.1, which included enhanced packet validation. In Unix and Linux environments, kernel-level fixes were rapidly deployed through updates that enforced strict IP length validation prior to buffer allocation during reassembly. For instance, the Linux kernel 2.0.24, released in December 1996, incorporated patches to handle oversized fragments by rejecting packets where the total reassembled data surpassed 65,535 bytes, averting kernel panics or reboots. The Linux 2.1.x development series, active in late 1996, integrated similar protections natively, with code changes in the IP fragmentation routines to compute and verify the aggregate length early in the process. Comparable updates were provided for other Unix variants, such as Solaris 2.5 and HP-UX 10.x, focusing on discarding invalid fragments at the network layer. These patches were guided by the CERT advisory CA-1996-26, which coordinated vendor responses to the vulnerability. The general approach across affected software involved modifications to the IP protocol stack, exemplified by that checks the sum of fragment data lengths against the maximum IP packet size:

if (total_length = sum(fragment_lengths) > 65535) { discard_packet(); log_anomaly(); } else { proceed_to_reassembly(); }

if (total_length = sum(fragment_lengths) > 65535) { discard_packet(); log_anomaly(); } else { proceed_to_reassembly(); }

This logic prevented allocation of oversized buffers, a core defense recommended in contemporary advisories. Network equipment vendors, including , responded with updates released in 1996, imposing fragment size limits and dropping suspicious ICMP traffic to mitigate reassembly exploits; most major rollouts occurred by late 1996. Post-patch verification typically involved testing with tools like the ping utility using oversized payloads, such as ping -s 65510 target, which on patched systems would either truncate the packet or elicit no crash, confirming the fixes' efficacy without disrupting normal operations. These updates effectively neutralized the vulnerability in IPv4 implementations by the end of , rendering the original ping of death obsolete on compliant systems.

Network-Level Defenses

Network-level defenses against the ping of death attack focus on perimeter configurations that filter or restrict malicious ICMP before it reaches endpoint systems, thereby preventing packet reassembly and potential buffer overflows. These measures, implemented on firewalls, routers, and intrusion detection systems, provide a first line of protection by inspecting and dropping anomalous packets at the network edge. Firewalls can be configured with rules to block inbound ICMP echo requests or fragments, effectively stopping oversized ping packets from propagating. For instance, using on Linux-based firewalls, administrators can drop ICMP echo requests exceeding typical packet sizes, such as: iptables -A INPUT -p icmp --icmp-type echo-request -m [length](/page/Length) --length 1500: -j DROP. This rule targets non-fragmented packets larger than the standard Ethernet MTU ( bytes). For fragmentation-based exploits like ping of death, additional rules to block ICMP fragments are recommended, such as iptables -A INPUT -p icmp -f -j DROP. Similarly, blocking all incoming ICMP traffic via iptables -A INPUT -p icmp -j DROP prevents pings from reaching internal hosts, though it may hinder legitimate diagnostics. On routers, lists (ACLs) enable precise filtering of ICMP traffic to counter ping of death attempts. Cisco routers, for example, support extended ACLs to deny fragmented ICMP packets, as in: access-list 101 deny icmp any any fragment, which is applied to inbound interfaces to drop such traffic early in the path. Additionally, committed access rate (CAR) policies can rate-limit ICMP echo requests, such as limiting to 1000 bits per second with burst allowance, using commands like rate-limit input access-group 101 1000 1500 500 conform-action transmit exceed-action drop. These configurations ensure oversized or excessive ICMP does not overwhelm the network. Intrusion detection systems like Snort, introduced in , incorporate signature-based rules to identify and alert on ping of death patterns, such as oversized ICMP echo requests. An example Snort rule for detection is: alert icmp any any -> any any (msg:"Ping of Death Detected"; dsize>1000; itype:8; sid:1000001;), which triggers on echo requests (type 8) exceeding 1000 bytes, allowing network administrators to block or log such anomalies in real-time. Early Snort deployments used similar rules to match fragmented or malformed ICMP, integrating with prevention modes for automated dropping. Best practices for network-level security include disabling ICMP echo responses on public-facing interfaces to reduce exposure, as routers and firewalls can be configured to ignore or silently drop such requests without alerting attackers. Rate limiting ICMP traffic further enhances resilience; for instance, Cisco's Control Plane Policing (CoPP) can cap ICMP at low thresholds, like 10 packets per second, using policy maps to protect routing infrastructure from floods. These approaches complement software patches by addressing threats externally. By intercepting malicious packets prior to reassembly, these defenses significantly reduce endpoint load and prevent exploitation.

IPv6 Considerations

IPv6 Protocol Differences

serves as an extension of ICMPv4, maintaining core diagnostic functions while incorporating enhancements tailored to . The Echo Request message, identified by type 128, and the Echo Reply message, type 129, enable connectivity testing similar to IPv4's ping mechanism. However, is more deeply integrated with protocols, particularly the (NDP), which utilizes messages for address resolution, router discovery, and duplicate address detection, thereby expanding its role beyond simple error reporting. In contrast to IPv4, IPv6 handles fragmentation exclusively at the source node using extension headers rather than dedicated fields in the main . The Fragment Header, inserted after the base IPv6 header or other extension headers, includes fields such as the Next Header (indicating the type of header following the fragment), the Fragment Offset (specifying the position of this fragment in the original packet), the Reserved field (set to zero), and the More Fragments (M) flag (indicating if additional fragments follow). This design prohibits intermediate routers from fragmenting packets, shifting the responsibility to the originating host to ensure packets fit the path's (MTU). Reassembly occurs solely at the destination, mirroring IPv4 but with stricter endpoint control to mitigate processing overhead on network devices. IPv6 supports larger packet sizes than IPv4, accommodating jumbograms up to approximately 4 gigabytes (2^32 - 1 bytes) via the Jumbo Payload option in the Hop-by-Hop Options extension header, though practical deployments rarely exceed standard limits. The minimum link MTU for is 1,280 bytes, ensuring compatibility across diverse networks, while hosts must support reassembly of datagrams up to at least 1,500 bytes. These limits influence potential oversized packet attacks, but IPv6's mandatory (PMTUD) mechanism requires sources to probe and adjust to the smallest MTU along the path using "Packet Too Big" messages (type 2), thereby avoiding fragmentation altogether in well-implemented systems and reducing the applicability of classic IPv4-style ping of death vectors. The packet structure retains a fundamental 8-byte header common to ICMP variants, comprising a 1-byte Type field, a 1-byte Code field (often zero for messages), a 2-byte , and a 4-byte identifier or sequence number in the message body for Request and Reply. IPv6-specific adaptations include optional extensions via NDP options, such as the Source Link-Layer or Target fields, which are encapsulated in Type-Length-Value (TLV) format to support protocol-specific features without altering the core header. This structure ensures compatibility with IPv6's extension header chain while providing flexibility for advanced network diagnostics.

IPv6-Specific Vulnerabilities

In 2013, security researchers identified an IPv6 variant of the ping of death attack that exploited reassembly flaws in ICMPv6 echo requests, enabling denial-of-service (DoS) conditions on vulnerable routers and operating systems through oversized fragmented packets exceeding the 65,535-byte IPv6 limit. This vulnerability, tracked as CVE-2013-3183, affected Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT with IPv6 enabled, where malformed ICMPv6 packets triggered buffer overflows during reassembly, causing system crashes or hangs. Similar ICMPv6 reassembly issues were noted in some router implementations, where oversized echo requests could overwhelm processing buffers and disrupt network traffic. A more severe IPv6-specific vulnerability emerged in 2020, designated CVE-2020-16898, which allowed remote code execution via malformed router advertisement packets in the Windows TCP/IP stack (tcpip.sys). Disclosed as a zero-day in October 2020, the flaw stemmed from improper handling of the Recursive DNS Server option (Type 25) in packets, enabling attackers to execute arbitrary code with SYSTEM privileges without authentication, provided was enabled on the target. rated it critical (CVSS 9.8), affecting versions 1709 and later, as well as and newer, with patches issued in the October 2020 release. A related issue, CVE-2020-16899, involved similar mishandling of packets leading to DoS. Other IPv6 implementations faced buffer issues from oversized jumbo frames and fragmentation. For instance, attackers could craft fragmented echo requests exceeding the standard MTU, triggering overflows during reassembly in unpatched systems. These ping of death variants often involve malformed Fragment Headers with invalid offsets, where the offset field (in 8-octet units) is set to cause overlapping or out-of-bounds reassembly, leading to memory corruption. Such attacks exploit the Fragment Header's structure, where an invalid offset combined with the More Fragments flag can force excessive buffer allocation or overwrite adjacent memory regions. In 2024, a critical remote execution vulnerability (CVE-2024-38063) was disclosed in the Windows kernel's parser, allowing attackers to exploit malformed packets with extension headers, leading to kernel memory corruption and potential DoS or execution, highlighting ongoing risks in fragmentation handling. Overall, -specific ping of death attacks are less prevalent than their IPv4 counterparts due to mandatory (PMTUD), which reduces reliance on fragmentation by dynamically adjusting packet sizes via "Packet Too Big" messages. However, they remain viable in misconfigured networks where PMTUD fails—such as when firewalls block or MTU mismatches persist—forcing endpoint fragmentation and exposing reassembly flaws.

References

  1. https://www.cert.org/historical/advisories/CA-1996-26.cfm
  2. https://www.iiisci.org/journal/pdv/sci/pdfs/p129065.pdf
  3. https://archive.ll.mit.edu/ideval/docs/attackDB.html
  4. https://arxiv.org/pdf/2211.15404
  5. https://datatracker.ietf.org/doc/html/rfc792
  6. https://datatracker.ietf.org/doc/html/rfc791
  7. https://www.rfc-editor.org/rfc/rfc1191.html
  8. https://www.rfc-editor.org/rfc/rfc791.html
  9. https://www.cert.org/advisories/CA-1996-26.html
  10. https://www.imperva.com/learn/ddos/ping-of-death/
  11. https://www.radware.com/security/ddos-knowledge-center/ddospedia/hping/
  12. https://www.giac.org/paper/gsec/653/analysis-fragmentation-attacks/101502
  13. https://vercara.digicert.com/resources/ping-of-death-denial-of-service-dos-attack
  14. https://www.cloudflare.com/learning/ddos/ping-of-death-ddos-attack/
  15. https://www.sans.org/security-resources/glossary-of-terms/
  16. https://insecure.org/sploits/ping-o-death.html
  17. https://seclists.org/bugtraq/1996/Oct/116
  18. https://www.cs.ait.ac.th/joomla3/index.php/security-advisories?CERT/CA96/msg00001.shtml
  19. https://phrack.org/issues/50/3
  20. https://www.cnet.com/tech/services-and-software/ping-of-death-averted/
  21. https://www.cyberciti.biz/tips/linux-iptables-10-how-to-block-common-attack.html
  22. https://www.fortinet.com/resources/cyberglossary/ping-of-death
  23. https://community.cisco.com/t5/network-security/ping-of-death-protection-options/td-p/603335
  24. https://forum.netgate.com/topic/52635/some-questions-about-snort
  25. https://datatracker.ietf.org/doc/html/rfc4443
  26. https://www.iana.org/assignments/icmpv6-parameters
  27. https://datatracker.ietf.org/doc/html/rfc8200
  28. https://www.usenix.org/event/sec08/tech/full_papers/dalton/dalton.pdf
  29. https://arxiv.org/pdf/2309.03525
  30. https://media.blackhat.com/bh-eu-12/Atlasis/bh-eu-12-Atlasis-Attacking_IPv6-WP.pdf
  31. https://nvd.nist.gov/vuln/detail/CVE-2024-38063
  32. https://blog.cloudflare.com/path-mtu-discovery-in-practice/
  33. https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.html
Add your contribution
Related Hubs
User Avatar
No comments yet.