Ping of death

As part of my study of Nmap, I wanted to learn about libdnet, a library used by Nmap. libdnet provides an interface to low-level networking, including transmission of raw packets. I wrote this ping of death program as an exercise.

Ping of death?

The ping of death is an old networking exploit that, I'm told, doesn't work anywhere anymore. It works by using IP fragmentation to create a datagram that's larger than the usual maximum of 65535. It a receiving system doesn't check the length, it may overflow its receive buffer, possibly leading to a crash and denial of service.

The IP datagram is traditionally an ICMP echo request, or “ping.” This may be because the ping program that came with some Windows versions could perform this attack out of the box. The IP datagram doesn't have to be a ping.

Sources tell me that operating systems have not been vulnerable to this attack since about 1998. Linux was patched in version 2.0.24. Check it out.

See these links:

This ping of death differs from others I've seen in that it attempts to maximally overflow the destination buffer. It does this by sending fragments until their combined length is within 8 of the maximum datagram length (65535), then sending a final fragment whose length is as large as possible (the MTU). The size of the reconstructed datagram is 65508 + MTU.

Does it work?

I don't know. I don't have any vulnerable systems to try it on. I know that when I run it against a Linux 2.6 system, I get a

kernel: Oversized IP packet from xxx.xxx.xxx.xxx.

message in the system log.

Download

The program is under Bazaar revision control. To get a copy, do

bzr get http://www.bamsoftware.com/bzr/ping-of-death

Up