Ping of death

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search


The ping of death is a Denial of Service attack that uses the restrictions of the ICMP Packets. The Ping of death gets performed by sending a malformed ICMP packet, which is bigger than the allowed maximum transmission unit (MTU), to the victim. As soon as the victim starts to unpack the packet it would cause and buffer overflow, because it is designed to process packets with a MTU and is unable to process bigger payload. This bug affected systems which run the Unix, Linux, Windows and Mac operating systems and often resulted in a system crash.

The bug got patched on most devices back in the nineties but it surfaced again in 2013 on the Windows Server 2013 operating system. At the same time, it got public that many windows-based devices are affected by the ICMPv6 based Ping of Death. But the vulnerability got patched during the patch days in August 2013.

Maximum Transmission Unit

The Maximum transmission unit (MTU) got defined in September 1981 by the Internet Task Force (IETF) and got documented in the RFC791. The Internet Protocol specification defines a MTU size of or 65.535 bytes. The IP Header itself needs 20 Bytes with Source and Destination Address, IP version and some more header fields. The encapsulated ICMP Header defined in RFC792 is 8 Bytes long. It consists of the ICMP Type, Code and Checksum field. The code field gets used to send status codes like “host unreachable”. Due to the 28 Byte header size needs the ICMP Payload to be bigger than 65.507 Bytes to perform a ping of death.

Send a ICMP packet command line

Windows Command line or Power Shell:

 ping <IP Address> -t –l 65500 

 “-t” sends the ICMP packet periodically until the command gets stopped by user input. 
 “-l” defines the size of the payload that’s being sent. 

Linux Terminal:

 ping <IP Address> -s 65507 
 “-s” defines the size of the payload that’s being sent. 

Today it isn’t possible anymore to build a ping of death in the command line neither in Linux distributions nor in Windows because the shells only allow a payload size of 65507 Bytes that doesn’t build a Packet larger than 65535 bytes when adding the 28 Byte large ICMP header.