The Ping of Death is a type of protocol Denial of Service (DoS) attack that exploits vulnerabilities in the way systems handle oversized ICMP packets.
How Ping of Death Attacks Work
In a standard ping request, the ICMP packet size is limited to 65,535 bytes. In a Ping of Death attack, attackers create packets that exceed this size by fragmenting them. When the target system reassembles these fragments, the oversized packet causes a buffer overflow, leading to system crashes or instability.
What Ping of Death Attacks Look Like in Logs
1. Oversized Ping Requests
Logs show incoming ICMP packets that exceed the allowable size.
Log Example (Firewall or Network Logs):
[Nov 21 18:10:01] ICMP: Src=192.168.1.100 Dst=10.0.0.1 Type=8 Code=0 Length=70000
[Nov 21 18:10:02] ICMP: Src=192.168.1.101 Dst=10.0.0.1 Type=8 Code=0 Length=70000
[Nov 21 18:10:03] ICMP: Src=192.168.1.102 Dst=10.0.0.1 Type=8 Code=0 Length=70000
Signs:
- ICMP packets larger than the standard size (65,535 bytes).
- Repeated oversized packets from multiple IPs.
2. Fragmented ICMP Packets
Attackers send fragmented ICMP packets to bypass packet size restrictions.
Log Example (Firewall Logs):
[Nov 21 18:11:01] Fragmented ICMP packet received: Src=192.168.1.150 Dst=10.0.0.1
[Nov 21 18:11:02] Fragmented ICMP packet received: Src=192.168.1.151 Dst=10.0.0.1
[Nov 21 18:11:03] Fragmented ICMP packet received: Src=192.168.1.152 Dst=10.0.0.1
Signs:
- Fragmented ICMP packets targeting the same system.
- Increased CPU usage on affected systems during packet reassembly.