Ping of death attack – Allied Telesis AT-S63 User Manual

AT-S63 Management Software Features Guide

Section II: Advanced Operations

209

Ping of Death Attack

The attacker sends an oversized, fragmented ICMP Echo (Ping) request
(greater than 65,535 bits) to the victim, which, if lacking a policy for
handling oversized packets, may freeze.

To defend against this form of attack, a switch port searches for the last
fragment of a fragmented ICMP Echo (Ping) request and examines its
offset to determine if the packet size is greater than 63,488 bits. If it is, the
fragment is forwarded to the switch’s CPU for final packet size
determination. If the switch determines that the packet is oversized, the
following occurs:



The switch sends an SNMP trap to the management stations.



The switch port is blocked for one minute.

Note

This defense mechanism requires some involvement by the switch’s
CPU, though not as much as the Teardrop defense. This does not
impact the forwarding of traffic between the switch ports, but it can
affect the handling of CPU events, such as the processing of IGMP
packets and spanning tree BPDUs. For this reason, Allied Telesis
recommends limiting the use of this defense, activating it only on
those ports where an attack is most likely to originate.

Also note that an attacker can circumvent the defense by sending a
stream of ICMP Echo (Ping) requests with a size of 63,488 to 65,534 bits.
A large number of requests could overwhelm the switch’s CPU.