Ping of Death

[moxnix]

During the last month, I have been the recepiant of several of several attacks to my IP addy. None have been succeded by the way.

They have been 'The Ping of Death'

From my D-Link DI-514 logs:

Oct/21/2004 18:10:04 Ping of Death Detect 192.168.1.19:1607 4.29.212.228:445 Packet Dropped

I am on Verison DSL and this latest attack came when no one was even on the internet. The only connection was the gateway and the router. All three boxes were off at the time (although that is irrellevant as they don't get past the router anyway.)

For those of you who haven't heard of 'The Ping of Death', here is some explanations:

http://www.insecure.org/sploits/ping-o-death.html
Description: gazillions of machines can be crashed by sending IP packets that exceed the maximum legal length (65535 octets)
Author: The page included was created by Malachi Kenney. The programs have attribution.
Compromise: Stupid DOS
Vulnerable Systems: I have heard that NT and 95 can actually lock up hard from the programs below. Also, early 2.0.x Linux, Solaris x86, and Macintosh systems are often vulnerable.
Date: 21 October 1996 was when this page came up.
Notes: The Ping O' Death page is included first, then comes BSD source code, then comes a version of the above which is modified to compile on Linux 2.X. I also appended jolt.c, which IP spoofs to. Woop!

Also from the same source:

In a nutshell, it is possible to crash, reboot or otherwise kill a large number of systems by sending a ping of a certain size from a
remote machine. This is a serious problem, mainly because this can be reproduced very easily, and from a remote machine. (During tests, my
machine in London, England has been crashed from a machine in Berkeley, California), and because the attacker needs to know nothing about
the machine other than its IP address. Be afraid. Since I started this page on the 21st October, over 18 major operating systems have
been found vulnerable.

It's very easy to exploit - basically, some systems don't like being pinged with a packet greater than 65536 bytes (as opposed to the
default 64 bytes). This bug is not limited to Unix, but is popping up on Macs, Netware, Printers, Routers... the list goes on. Patches are
coming out extremely fast - the award did go to the Linux community for getting a patch out within three hours (well, 2 hours 35 minutes 10
seconds if you must know), but Bill Webb from Telebit assures me that the Netblazer patch was out within two! OK, OK, you can share the
prize money... :-)

An IP datagram of 65536 bytes is illegal, but possible to create owing to the way the packet is fragmented (broken into chunks for
transmission). When the fragments are reassembled at the other end into a complete packet, it overflows the buffer on some systems, causing
(variously) a reboot, panic, hang, and sometimes even having no effect at all...

Most implementations of ping won't allow an invalid datagram like this to be sent. Among the exceptions are Windows '95 and NT, although
they are certainly not the only ones...

The artical goes on to explain why just blocking this at the firewall is not the best solution, and what systems are succeptable to this form of attack.

Well worth the read.

(excuse any spelling mistakes......I still can not get the spelling checker to work)

[PacketThirst]

I thought the so called "Ping Of Death" isn't of any good now and the only systems vulnerable
to this are the ones that time warped from the early 90's !!. Any high profile vulnerability is
sure to be completely fixed after sometime (Wel...almost !).

If i'm wrong, please do correct me folks.


PaCketthirst

[TrEp]

I would have to jump to the conclusion that some skiddieot found a ping of death program and decided to try it out.

[Relyt]

P.O.D.

Now that’s one I haven’t heard in eons. But, obviously some skidettee was able to slip them through DSL as we see with Mox’s Logs. I distinctly remember some scrimmages that transpired between a few folks years ago. Scripts were written to try to respond in retaliation if we received the "Ping of Death". They seldom worked because the ole P60 with win95 would immediately dive into a stupor if one were received. The poor ISPs became rabid because of the complaints and they became targets as well. So they started blocking them at their level and dumping the accounts of the offenders.

Since I'm on DSL, better check my logs

[chsh]

Was there actually a point to this post beyond telling people you got hit with it?

[moxnix]

Originally posted here by chsh
Was there actually a point to this post beyond telling people you got hit with it?

Actually yes.......to get you off your lazy ass, and maybe get some discussions going, but I guess you are just feeling to high and mighty to participate in such, eh chsh.

[chsh]

Originally posted here by moxnix
Actually yes.......to get you off your lazy ass, and maybe get some discussions going, but I guess you are just feeling to high and mighty to participate in such, eh chsh.

Yep, I am too high and mighty to participate, which is precisely why I asked what the purpose of your post was.

At any rate, why discuss something that belongs in the history books in terms of affected OSes? This is on par with discussing code red hits. It's Internet background noise -- get used to it, or get off the Internet.

Oh, and by the way, this belongs in Network Security Discussions.

[moxnix]

Originally posted here by chsh
Yep, I am too high and mighty to participate, which is precisely why I asked what the purpose of your post was.

Yes I understand completely.

Originally posted here by chsh At any rate, why discuss something that belongs in the history books in terms of affected OSes? This is on par with discussing code red hits. It's Internet background noise -- get used to it, or get off the Internet.

Stange, I know of ten members just off the top of my head that run some of those ancient OS's that are only found in the history books. Not everybody can afford (or wants to ) to run bleeding edge technology. Perhaps even if it is not of interest to you, it might be for them. But you have that covered in the first part.

Originally posted here by chsh Oh, and by the way, this belongs in Network Security Discussions.

You must not have read the artical referenced. It also effects some hardware and firmwear, but true it actually could go into several different forums, I just picked the one that seemed to cover the whole concept. Your opinion has been noted, for what ever that is worth.

[chsh]

Originally posted here by moxnix
Stange, I know of ten members just off the top of my head that run some of those ancient OS's that are only found in the history books. Not everybody can afford (or wants to ) to run bleeding edge technology. Perhaps even if it is not of interest to you, it might be for them. But you have that covered in the first part.

I was running an old OS up until last week, and oddly enough, it was unaffected by this. There are ten AO members out there using unpatched Ping-Of-Death-able OSes? I suggest that perhaps you do some directed education of these people then, so they can be brought up to at least six years ago in terms of security.

[nihil]

Chris:

There are ten AO members out there using unpatched Ping-Of-Death-able OSes?

Yes, but we don't connect them to the internet so it doesn't matter.

I think the point of the thread is that the POD is so old it should be extinct, so what is really going on?

I vaguely remember the POD from about the mid-1990's? AFAIK It would run on Win 3.11 (some), Win95, NT3.51 and NT4 (I think it got fixed with SP3).

Anyway, I don't see many people going on the net with the first three of those and if you are running NT4, you should be at SP6a. My point is that there shouldn't be any targets left. That is why I am not entirely convinced by the skiddie theory, if they don't get any results they will get bored and find something else to do?

I will take a wild guess, and suggest that Mox's router is being too sensitive. I believe that it may be detecting fragmented packets and giving a false positive for POD.

I have heard that Win XP fragments packets for whatever reason and that this can cause problems with some routers.

Also there all these chat and P2P things going around looking for people to chat with, or music to share.

No idea how to do it, but it would be interesting to send a fragmented packet to the router, smaller than that required for a POD, and see what the reaction is?

There does seem to be something going on maybe it is just the router overreacting but why all of a sudden?