Ping of Death: How an adorable sounding DDoS attack can wreak havoc

Small doses of poison can add up to a lethal cocktail of DDoS in what is being called the ping of death, says Sophie Davidson.

Sophie Davidson, Incapsula
Sophie Davidson, Incapsula

Pretend for a moment that you're a nefarious type of person. Naturally, you have enemies, one of whom owns an electronics store. Black Friday happens to be just around the corner and your enemy is planning on setting up a roof display to let everyone know about his insane discounts. But you certainly don't want him to be able to rake in major money. So you twirl your pencil-thin moustache and hatch a plan to literally bring his roof down and make his store unavailable to customers.

After some thought, you arrange a delivery of a rooftop display that looks like it's coming from the store's franchising company. The electronics store owner hires some temporary worker drones to work overnight putting up the display, and what do you know? The delivery boxes just keep coming. One at a time the workers bring this almost endless stream of boxes to the roof and assemble the display. It wouldn't have been possible - or smart for that matter - to send a display big enough to bring down a roof all in one shipment. It would have been too big to be delivered, and too big to bring up to the roof. But a display of that size, delivered in smaller pieces, and then assembled on the roof? Nice knowing you, roof. You smugly pet your nefarious-looking cat.

That's more or less how a Ping of Death (PoD) DDoS attack works: small doses all adding up to devastating results.

DDoS attack types

DDoS stands for distributed denial of service. It's a form of attack that denies the services of a website, server, network or other internet service to its legitimate users by interrupting, suspending or otherwise interfering with the services of an internet-connected host. This is generally accomplished using one (or more) of the following attack types: volume-based attacks, application layer attacks, or protocol attacks. Ping of Death is a protocol attack.

The internet operates using a set of protocols. These protocols are absolutely necessary for the internet to operate the way it must. Attackers have figured out that one way to make DDoS attacks difficult to defend against is to use those same protocols, because blocking the entire protocol isn't an option.

The ping protocol

A ‘ping' is a type of networking utility that determines whether or not a host is reachable, and how long it takes to be reached. An Internet Control Message Protocol (ICMP) echo request packet is sent to the host, which the host then responds to with an echo reply.

The size of a properly formed ICMP echo request packet is no bigger than 65,535 bytes. Attempting to send a ping packet larger than 65,535 bytes is a violation of Internet Protocol, so it simply isn't possible – unless you send malformed packets in fragments that the target host attempts to assemble, leading to an over-sized packet which causes memory overflow and an unavailable host for legitimate users. This is how a Ping of Death DDoS attack occurs.

As the Incapsula DDoS attack glossary points out, Ping of Death attacks are effective because not only is it easy for an attacker to spoof his or her identity, but the attacker also requires no information about the target beyond its IP.

Damaged goods

Ping of Death may have an almost cutesy name, but the damage these attacks can cause is about as far from cute as it gets. First and foremost, a PoD attack makes your website unavailable to your users. For a business, this can lead to an immediate loss of revenue, as well as a loss of consumer trust, which can cause longer-term loss of revenue.

DDoS attacks have also been shown to cause hardware or software damage, theft of intellectual property and theft of customer data or financial information. The after-effects of a DDoS attack can be felt for months, if not years.

Making the Ping of Death less lethal

As previously discussed in this article, stopping Ping of Death attacks is difficult because they're protocol attacks. You can't just block all ICMP ping messages. Professional DDoS mitigation will selectively and intelligently block unusually large packets, including fragmented packets, in order to stop attack traffic while allowing legitimate ping traffic to reach the host unimpeded.

This is a good thing, because you're not a nefarious type of person, and you're not twirling your pencil-thin moustache. Professional DDoS protection is how you protect your website and your business from the nefarious moustache-twirlers of the world.

Contributed by Sophie Davidson at Incapsula.