Ping of Death

From: rick0697@hugin.imat.com (Rick Moen)
Newsgroups: sfpcug.general
Subject: An easy way to crash Microsoft operarting systems
Date: 3 Jul 1997 20:03:33 GMT
Organization: If you lived here, you'd be $HOME already
X-Newsreader: TIN [UNIX 1.3 unoff BETA release 961214]

While I'm at it:

You-all are probably aware of the TCP/IP "ping" protocol (ICMP Echo), used to determine if a remote machine is reachable, if only because a certain self-described computer expert regularly give members the criminally negligent advice to hammer with "pings" any Internet destination address you're having difficulty reaching. (Thanks, Jeff. You've just worsened the problem by adding a "ping storm".)

OK, here's a neat parlour trick for you: Open your Win95 "command prompt" session (MS-DOS 7.0), and type "ping -l 65510 -s 1 hostname.domain.com"[1], where "hostname.domain.com" is an Internet DNS domain name. If the remote host is a Windows 95 or Windows NT host, it'll probably immediately crash hard, no matter where in the world it is, and no matter where you are[2].

This effect is called the "Ping of Death", and was noticed in mid-'96. It involves sending oversized ping packets, thereby overrunning buffers.

Don't bother attacking the club's Linux machines (or mine, or Richard Couture's, or The CoffeeNet's): An easy fix was made available for Linux within two hours of the discovery. Don't bother with my OS/2 box, either, since OS/2 was never vulnerable. Ditto for NetWare 3.12 and above.

Microsoft OSes, on the other hand... oh, dear.

What brought this to my attention was getting the two most recent service packs for WinNT — about 35 megabytes total, by the way. I noticed an extra directory for "hotfixes", and retrieved everything in them. (These are extremely new patches that didn't make it into the latest service pack.) To my astonishment, they've finally started making available a patch that addresses Ping of Death (though they carefully avoid using that term — and the patch itself is extremely low-profile.) Only about a year late, you will note!

Those of you running NT 4.0 (server or workstation) may want to try the latest "hotfix" patches[3] — and consider the merits of a company that leaves this serious problem totally unaddressed for a full year (and then buries the fix so deep it's almost unnoticeable), while its freeware competition nonchalantly fixed it in two hours.

Win 95 is reportedly still vulnerable — after two service releases. FYI, Trumpet Winsock is not vulnerable in recent releases.


[1] use 65,510-byte "ping" packets. Normal packets are 64 bytes. Maximum size supported by Win95's ping is 65527 bytes.

[2] Unless it's located behind a firewall gateway that doesn't admit "ping" traffic, and you're on the outside. In this case, the machine is still vulnerable, but you can't get at it. On the other hand, if the firewall itself runs on WinNT — a serious error committed by some inexperienced companies — you can crash the firewall using Ping of Death, cutting off that entire company from the Net.

[3] Of course, ICMP Echo (ping) isn't the end of the problem: It's any service that can overflow an operating system's packet buffers: http (World-Wide Web) access, file and print access, remote login, etc. It's unknown whether MS's hotfix addresses the underlying problem, or even whether it works at all.

--
Cheers,
Rick Moen "vi is my shepherd; I shall not font."
rick (at) hugin.imat.com -- Psalm 0.1 beta