An old exploit made a return recently to the Linux Kernel. If you were to send a large data packet via ICMP to a vulnerable system it would crash causing a denial of service event. The exploit, known as the Ping of Death works because the maximum allowed size of an ICMP packet is 65535 bytes. It is possible to send a larger packet if it is fragmented. The receiving system will defragment it on arrival and if the system is vulnerable, the resulting payload will be bigger than the buffer size allocated to receive it and hence cause an overflow and possibly crash the system.
The attack first made its appearance in the 1990s. It was particularly effective as it was even possible to bypass firewalls by spoofing the source IP address.
Back then there were plenty of exploits that worked with ICMP. Using a broadcast address for either source or destination was a particularly good way of causing denial of service just by generating large amounts of traffic. As internet access was typically dialup of around 56Kbps and corporate wide area networks weren’t much faster, a lot of damage could be done.
In theory, these kind of exploits known as Smurf attacks can’t really happen any more as systems are configured not to respond to broadcasts and routers are set not to forward packets directed to a broadcast address. For old time sake, I gave my systems a test using HPING and found this to be the case.
Posts
No comments:
Post a Comment