What is a Ping of Death (PoD) DDoS Attack?

Introduction

You’re probably familiar with the term “ping me” – a casual alternative to “contact me.” The phrase comes from the IT world, where the Ping command is used to perform a simple, legitimate network connectivity test. One computer sends a message to another computer using the Internet Control Message Protocol (ICMP) to check the connection and response time.  

“Ping me” sounds friendly, but there’s nothing friendly about a Ping of Death DDoS attack, a classic, yet still dangerous, type of DDoS attack.  

In this blog, we’ll shed light on the potential risks and damage Ping of Death (PoD) attacks can cause to network security. We’ll explore the history, mechanics, and impact of PoD attacks, while also offering guidance on how to identify and protect against them.

Ping of Death (PoD) Attack

A Ping of Death attack is a type of DDoS attack where an attacker overwhelms a network device with ping packets (also referred to as ICMP data packets) in an attempt to make the device or service sluggish or crash so that it is unavailable to legitimate users and traffic. PoD attacks can target a single device, but today it is more common for the threat actor to use a Botnet to launch a PoD DDoS attack.

History of PoD

The first known Ping of Death attack was discovered by security researchers in 1996, just as Internet adoption was growing. The attack gained widespread notoriety when it was used to crash machines running Windows 95 and Windows NT operating systems and to disrupt routers and firewalls. The attack revealed a weakness in handling large volumes of fragmented packets that attackers could use to take down organizations’ systems and it kicked off a slew of similar attacks.

How the Ping of Death Attack Works

A ping request is a legitimate way to test connectivity between two machines using ICMP. One device sends a ping echo-request packet to another, which sends back an echo-reply message. The time of the interaction measures the speed of the connection.

In a PoD DDoS attack, the only piece of information the attacker needs to know about the target is the IP address. The attacker overwhelms the target device or system by sending multiple ping echo-request packs. The requests consume bandwidth and eventually exhaust the targeted device’s resources causing the device to slow down or stop altogether.

Attackers can also send ping packets that exceed the maximum packet size. The attacker divides the packet into smaller segments that are below the allowable limit. When the targeted device attempts to reassemble the packet in order to respond, the device crashes.

Attackers use different methods to target different devices with ping packets:

• Targeted local disclosed. This ping flood attack targets a specific computer on a local network, using the specific IP address of the destination device.
• Router disclosed. This attack targets routers to disrupt communication between computers on a network. In this case, the attacker must have the internal IP address of the local router or switch.
• Blind ping. This attacker uses an external program to discover the IP address of a target computer router before launching the attack.

Impact on Target Systems

While emanating from a seemingly harmless request, PoD DDoS attacks can severely impact performance and availability of targeted systems and result in financial consequences for organizations.

Network performance: Excessive ping packet traffic consumes network bandwidth and can create network congestion.

System and service availability: As devices attempt to respond to a massive volume of bogus ping requests or reassemble echo-request packets that exceed the allowable size limit, their resources become drained and systems eventually crash, leading to service outages for legitimate users.

Financial impact: Any compromise to business operations can have financial implications including costs of mitigation and recovery efforts as well as losses in revenue, brand reputation, and customer trust.

Evolution and Variants of Ping of Death

Ping of Death attacks were among the first denial of service attacks to emerge and remained prominent for decades. While they have waned in the last few years, Ping of Death attacks continue to evolve and still occur. So, organizations need to protect themselves against them. 

Modern Relevance of Ping of Death

The original Ping of Death attack wreaked havoc for several years. Fortunately, devices created after 1998 included updated code to mitigate risk from the original form of PoD attacks.

However, Ping of Death attacks made a return in August 2013, when they caused a threat to Internet Protocol version 6 (IPv6) networks. The attack exploited a flaw in the IPv6 implementation. The risk could be avoided by implementing a patch that was issued and by disabling IPv6.

PoD attacks resurfaced in October 2020, when a flaw was discovered that once again allowed Windows systems to be exploited. Again, patches were made available to strengthen security and avoid the risk.

Finally, certain industries also face a higher risk of DDoS attacks, such as Ping flood attacks, and must remain vigilant. Two key industries more frequently targeted are:

• Financial services due to their high reliance on online services, critical nature of the services they provide, and the value of data that could be compromised.
• Telecommunications and ISP/hosting providers due to their critical role in delivering internet services and the ripple effect of an attack on their customer base.

Variants of the Attack

We know that threat actors continue to evolve their tactics, techniques, and procedures (TTPs). So, it’s no surprise that variants of the original PoD attack concept have emerged that exploit similar mechanisms. For example:

• Teardrop Attacks take advantage of a bug in older devices that causes them to become confused and crash when reassembling fragmented packets, especially when data seems to overlap or is not in the right order.
• Bonk Attacks use a large fragment that requires the device to use a huge buffer during reassembly that causes the system to crash.
• SMS of Death Attacks target iPhone devices with specially crafted ping packets that get fragmented.

Additionally, PoD attacks don’t allow for amplification and reflection, as do other DDoS attacks like Smurf attacks, UDP flood attacks, and the Mirai botnet. So, threat actors use Ping of Death attacks in combination with other attacks to maximize their impact.

How a Ping of Death (PoD) Attack is Executed

A Ping of Death Attack exploits the ICMP protocol and IP fragmentation. While some IP packets are small, others can be much larger and exceed the limits of 65,535 bytes. Packets that exceed this limit can cause systems to crash.

Steps Involved in Launching a PoD Attack

PoD attacks involve a few simple steps which can be performed using readily available tools. Targets can include various operating systems and devices such as routers, firewalls, and servers.

• The attacker sends an ICMP (ping) packet that exceeds the allowable limit.
• The large packet gets fragmented into multiple, smaller packets before sending.
• The receiving system tries to reassemble the packet back into the larger packet. However, the system has no information to tell it that the packet is too large until the damage is done.
• The reassembly process fails because the packet exceeds the limit, causing the system to crash or freeze.

NOTE: The impact of the attack will vary based on how the system handles reassembly.

Identifying a Ping of Death Attack in Progress

There are lots of potential signs that a POD attack is underway. You may get a “blue screen of death” on your device with no functionality, or your device may not even turn on. Other signs include network slowdowns, unresponsive services or system performance issues, or high CPU or bandwidth utilization.

Network monitoring tools can help teams identify spikes in traffic patterns that may be an indication that a Ping of Death attack is in progress. While system log analysis can point to the devices affected.

Impact of Ping of Death (PoD) DDoS Attacks

PoD is an older DDoS attack. Since then, many systems have been updated and patched to prevent these types of attacks. Additionally, websites often block ICMP ping messages in order to stop and avoid future variations of PoD attacks.

However, PoD DDoS attacks can still impact unpatched systems, and new vulnerabilities continue to be discovered. Organizations’ defenses can also weaken over time due to malicious content on a computer, server, or network, and become vulnerable to the threat.

Vulnerabilities related to how IP fragmentation is handled also persist and create risks. These include:

• Protocol design flaws that enable fragmentation manipulation attacks such as PoD.
• Embedded systems and IoT devices that lack fragmentation handling protections.
• Legacy firewalls that don’t have deep packet inspection and fail to detect PoD attacks.
• Use of IPv6 that reopens fragmentation and reassembly vulnerabilities unless proactively addressed by vendors.

PoD Attacks on Cloud Environments

With the rise of cloud adoption and virtualization, PoD DDoS attacks have evolved to take advantage of these environments. Today, Ping of Death attacks target:

• Hypervisors, sending malformed pings that can disrupt and completely interrupt multiple hosted virtual machines (VMs)
• VM boundaries, crafting ping packets to exploit boundaries and then exploiting adjacent VMs through a compromised hypervisor
• Cloud instances, flooding them with high volumes of ping packets and consuming resources
• Cloud-based network infrastructure, saturating these components with high traffic volumes that can consume internal bandwidth

Mitigating and Defending Against Ping of Death (PoD) DDoS Attacks

Despite being one of the oldest forms of DDoS attacks, the persistence and evolution of PoD DDoS attacks underlines the need to remain vigilant. To defend against PoD attacks, organizations should use a combination of best practices and technology, including:

• Reduce Fragmentation. Adjust the Maximum Transmission Unit (MTU) on networks to reduce the need for fragmentation. Attackers rely on fragmentation to hide the packet sizes.
• Validate Packet Size. Perform checks on packet sizes during reassembly to prevent buffer overflow or errors when the fragments exceed limits. Drop oversized packets to mitigate the risk.
• Filter traffic. Filter fragmented ping requests from reaching any device in the network and only process unfragmented ping requests.
• Set rate limits for incoming traffic. Security teams can also mitigate ping flood attacks by setting rate limits for processing incoming ICMP messages or limiting the allowed size of the ping requests.
• Adjust reassembly. Review the reassembly process and add checks to make sure the maximum packet size constraint will not be exceeded after packet recombination.
• Use a buffer. Enhance your ability to take on large packets with an overflow buffer with enough space to handle packets which exceed the maximum guidelines.
• Patch Systems. Make sure operating systems and network devices are up to date with patches that implement better packet reassembly and fragmentation handling.
• Proactively monitor traffic: Know your baseline traffic patterns and continuously monitor for anomalous behavior that could indicate a Ping of Death attack.
• Use IDS/IPS technology. Detect abnormal fragmentation and block oversized ICMP packets with IDS/IPS tools. Signatures can identify Ping of Death and other fragmentation exploits.
• Add firewall rules: Set the firewall to detect and block incoming ICMP packets to prevent pings from reaching vulnerable systems. However, this is not ideal as it will also block legitimate troubleshooting pings.
• Use a DDoS protection platform. The most comprehensive way to mitigate DDoS attacks, including PoD DDoS attacks, is with DDoS protection. The best solutions will allow you to maintain uninterrupted service availability even in the midst of a DDoS attack and protect you against follow-on threats including data leakage, ransom attacks, and other threats to your operations.

Conclusion

Ping of Death DDoS attacks have been around for nearly four decades and at this point many devices have built-in protections or have been patched. However, this doesn’t mean organizations can become complacent and think they are protected.  

PoD attacks continue to evolve, exploiting new vulnerabilities in Windows systems and Apple devices as well as weaknesses in cloud environments and IoT devices to cause disruptions. Threat actors also incorporate ping packet misuse into other types of attacks.

There are many signs that you may be experiencing a PoD attack, including frozen or crashed systems, network slowdowns, and high CPU or bandwidth utilization. Network monitoring and system log analysis tools can help to confirm your suspicions and home in on the affected devices and systems.

There are also multiple best practices and technologies you can use to defend against PoD DDoS attacks, including reducing the need for fragmentation, validating packet sizes, filtering traffic, assessing the reassembly process, patching systems, using firewalls and IDS/IPS tools, and using a DDoS protection solution.

DDoS protection coupled with intelligence to stay ahead of emerging threats, provides uninterrupted service availability even in the midst of a Ping of Death DDoS attack and can also protect you from other types of DDoS attacks and the follow-on malicious activity that can threaten your operations. Visit our threat intelligence research center for more information on DDoS defense in depth.