Preventing a Solaris 'Ping of Death' attack

The Ping of Death attack, first seen in 1996, is achieved using the Internet control message protocol, or ICMP (hence the name "Ping of Death").

Normally IP packets are 65535 bytes large, which includes the header length (assuming that no options are set). A typical ICMP echo-request consists of eight bytes of ICMP header information (as per RFC-792) followed by the number of data octets in the echo-request.This means that the maximum allowable size for the ICMP data is 65507 bytes (maximum IP packet size minus the size of both the IP and ICMP headers). It is possible, however, to craft ICMP echo-request packets with data payloads bigger that 65507 bytes by using IP fragmentation to break up the payload. Fragmentation relies on the offset value in the IP header of each fragment to determine where the individual fragment goes. Since most systems do not process a packet until all fragments have been received, it is possible to overflow a 16-bit internal variable by sending a valid offset with a suitable fragment size in the final fragment such that the offset value added to the fragment size creates a packet greater than 65535 bytes in length. Systems which then reassemble this packet may panic and crash, reboot, or freeze up.

For external protection, the Ping of Death is easily countered by blocking inbound ICMP traffic at the border routers of the network. For the internal network, the only real solution is to stay current on operating system patches. Solaris 2.4, 2.5, and 2.5.1 are apparently the only versions of Solaris susceptible to Ping of Death attacks.The patches for Solaris 2.4, 2.5, and 2.5.1 that were released in response to this exploit install new drivers for IP that reject oversized ICMP packets. If an attacker tries to use this today, the kernel simply throws away the ICMP echo-request packets that are oversized. Table 1 below lists the Solaris patches available for the Ping of Death attack.

Table 1 — Solaris Patches Available for the Ping of Death attack
Solaris Version Patch ID
SunOS 5.4 103630-09
SunOS 5.4 x86 103631-09
SunOS 5.5 103169-12
SunOS 5.5 x86 103170-12
SunOS 5.5.1 101945-51
SunOS 5.5.1 x86 101946-45

Note: While most people associate the Ping of Death attack with ICMP echo-request packets, it is also quite possible to craft similar attacks using TCP, UDP, and even IPX.