Perhaps the simplest way to understand Denial of Service would be the Ping of Death attack. Following that, we shall discuss how contemporary attacks exist which resemble Ping of death, followed by a discussion on other attacks that misuse the protocol stack to conduct (Denial of Service) DoS attacks.
Ping-of-death is a denial of service attack which uses IP fragmentation to send oversized IP packets in smaller fragments. Upon reassembly at the end point, these packets would cause a buffer overflow and therein system crashes, reboots, and system hangs depending on the operating system and the version of it in use.
An IP header has a length field of 16 bytes, that could take the value of up to 65535 (216 – 1). This limits the length and IP packet could have to 65536 bytes. Since Data Link Layer capabilities require IP packets to be fragmented, IP header also has a fragment offset field of 13 bytes, which could take a value of up to 8191 (213 – 1). Offset is marked in sets of 8 bytes (216/213), thus the total length becoming 65536. The final offset allowed in total length of bytes is 65528, leaving 8 bytes to the final packet, but IP header itself is 20 bytes. While in regular scenarios this offset isn’t utilized, an attacker could use it to cause a reassembled IP packet to be larger than 65536 bytes. Since such a large packet violates the RFC specifications, historic systems were not expecting them, nor were they designed to handle them [1]. Therefore, such packets caused buffer overflows that resulted in aforementioned outcomes.
The attack could be carried out by simple knowledge of the target IP address or the domain name. The identity of the attacker can also be easily spoofed. An attacker could simply set the length parameter of the “ping” utility to conduct this attack. [2, 3]
Note that this attack is possible with any protocol that sends IP datagrams, which includes all transport layer protocols such as TCP, UDP and etc. Upon receiving a fragmented IP Packet, the “more-fragments” flag is checked for following packets and the complete packet is reassembled before handing over to the higher protocol layer. Since the computer is intended to crash upon reassembly itself, the integrity of the underlying packets does not matter in the least. Therefore, the attack is not exclusive to ICMP packets.
Validation mechanisms could be added to the reassembly process, inspecting the packet header values on “Fragment Offset” and “Total length” to fall within the bounds of reasonable expectations. This can be delegated to a firewall placed in the middle of the network if it cannot be implemented at a legacy end node. Upon failure of validation during reassembly, the packet could be discarded [4].
Longer buffers for reassembly could also be enabled to withstand the maximum length of a final IP fragment with the maximum offset set to it, but this would violate the RFC specifications.
Devices created after 1998 are released with patches against this type of attack [4]. Furthermore, incoming ICMP packets from outer networks are disabled for security purposes. Even if they were allowed, firewalls are configured to validate packets before passing them on. This method is especially useful for legacy systems that cannot be patched or updated to later versions for various reasons.
However, even though its obsolete in the original form, there are several attacks that hold resemblance to ICMP in the present threat landscape.
Bluesmack attack, discovered in mid 2000s, abuses a packet similar to ICMP echo in Bluetooth protocol stack’s L2CAP layer, commonly used to measure round trip times and check connectivity. Same as ping of death (PoD), an oversized packet of this nature would cause a Bluetooth enabled device to malfunction.
An attack called “INVITE of death” was discovered in 2009 which sent malformed “INVITE” request packets to telephony server used in Voice over IP systems, which could cause the server to crash. Messages other than “INVITE” packets such as spoofed UDP packets could also be used to conduct this attack, much like PoD.
In 2013, a ping of death for IPv6 was discovered, which abused how Windows TCP/IP stack allocated memory while processing crafted ICMPv6 packets. The attack could cause target system to stop responding until restart, and the vulnerability was promptly patched by Microsoft [5]. These attacks bear a strong resemblance to Ping of Death attack.
More generally, Slowloris attack saturates the allowed TCP connections through sending HTTP Headers per each established connection and keeping them open, denying service to legitimate clients.
HTTP Floods use HTTP GET or POST requests to conduct the attacks, utilizing the maximum resources possible by a TCP connection.
DNS floods, exhaust DNS server resources by sending large numbers of UDP packets, denying replies to legitimate queries. DNS Amplification attacks send queries with a spoofed source address to many DNS servers, causing a large number of DNS responses at the target host, overwhelming it [6, 7]. These attacks are also commonly seen in present due to these protocols being crucial to networks. Unlike ICMP, these protocols cannot be disabled.
In general, there are a large number of attacks that abuse protocol stack to execute denial of service. Mitigations for these attacks are more or less well-established in current systems. Services such as Cloudflare are also utilized to mitigate most attacks. Some of these are also discussed below.
Teardrop attack sent packet fragments with overlapping offsets, causing unsuspecting protocol implementations to inevitably crash. ICMP Smurf and UDP Fraggle attacks abuse the use of broadcast address in local networks to deliver large number of response packets to a target address, which was spoofed as source in the broadcasted packet. LAND attack uses a TCP SYN Packet spoofed with target address for both source and destination, causing the machine to reply to itself [6, 7].
Ping Flooding overwhelms the target through a large volume of Ping packets. UDP floods uses packets spoofed with different port numbers, making a system consume resources trying to match random ports to UDP services. SYN Flooding takes advantage of the limited buffer which performs 3-way handshake until connection establishment. The buffer is saturated with incomplete connections and legitimate clients are denied service [6, 7]. Syncookies can mitigate this attack.
Network Time Protocol (NTP) used for clock synchronization and Simple Network Management Protocol (SNMP) used for peripheral network device management, are also abused to conduct DoS attacks through spoofed packets with source addresses set to target. In NTP Amplification attacks, NTP update requests are sent constantly to exhaust/confuse resources and deny service. In SNMP Reflection attacks, devices are pinged for information, which reply at once with a heavy dose of data (as per the protocol) to the requesting IP address, exhausting its buffers [6, 7, 8].
Christmas tree attack, where a TCP packet with all options set to TRUE is delivered to a system, causing the protocol stack to waste time processing it, while not causing denial of service in large scale, is still used for fingerprinting purposes. ICMP Source Quench packets are also abused to rate limit hosts.
[1] INSECURE.ORG, “Ping of Death” 1997. [Online]
[2] Imperva Incapsula, “PING OF DEATH (POD)” [Online]
[3] SearchSecurity, “ping of death” May 2016. [Online]
[4] CLOUDFARE, “Ping of Death Attack” [Online]
[5] Microsoft, “Microsoft Security Bulletin MS13-065 – Important ; Vulnerability in ICMPv6 could allow Denial of Service” [Online]
[6] D. Breslaw and D. Bekerman, “Security Glossary: Top 12 DDoS Attack Types You Need to Know” [Online]
[7] Imperva, “DDOS ATTACKS” 2018. [Online]
[8] J. Kirk, “Aging networking protocols abused in DDoS attacks”. [Online]