Talk:Ping of death
|WikiProject Computer Security / Computing||(Rated Start-class, Low-importance)|
|WikiProject Computing||(Rated Start-class, Low-importance)|
How can you create/send a POD? What has been done on the popular operating systems to prevent this buffer overflow from occuring?
- It's probably not possible to do this and 'crash' other machines, as the article states that most machines have been fixed to avoid this. From my limited personal research it seems like it works by sending a packet size of 2^16 (65536) or greater will crash the remote machine.
- My question here to add is how this is possible? We regularly send data around via TCP/IP which are obviously greater than 2^16 bytes, but the data is split between two packets of < 65535 bytes.
- Anyway the question 'what has been done on the popular operating....' can probably be answered using my hypothesis that the machines are somehow set to not receive packets greater than 2^16-1 bytes. How, I'm not sure :) Piepants 23:26, 8 June 2006 (UTC)Piepants
- edit: after some more research, I am reminded that you can specify packet size from ping commands (type ping /? in your command prompt to see how). I'm sure they fixed it, but if you say, chose 'ping -l 65536 [hostname]' (-l means specified buffer size), it would do what was done years ago to 'test' this.
- :) Piepants 23:31, 8 June 2006 (UTC)Piepants
Killing vandals with PODs
This might make be effective way to fight vandals if it wasn't illegal. Wikipedia users would simply send Pings of death to vandals, and their computers crash!--126.96.36.199 00:42, 18 September 2006 (UTC)
... but you DID read the part about POD bug being fixed since 10 years? 188.8.131.52 14:15, 5 October 2006 (UTC)₦ this men love —Preceding unsigned comment added by 184.108.40.206 (talk) 14:39, 13 July 2010 (UTC)
NOTHING to do with ICMP ?
When a ping of death is initiated, it is my understanding that the command used, i.e. "ping -l 65536" will cause an oversized ping packet to be sent to the host by inserting 65536 bytes into the ICMP data field. As the ping is sending, then ICMP makes an ICMP_ECHO_REQUEST and this ICMP_ECHO_REQUEST is 65536 bytes. This together with the rest of the IP packet makes it greater than the specified length of IP MTU allowed. The IP packet will be sent fragmented due to its size, but when reassembled at the other end all the pieces will be greater than the maximum allowed for an IP packet since the ICMP_ECHO_REQUEST contains 65536 bytes just on its own, within the ICMP data field. The host will not be expecting to recieve an illegally oversized IP packet and will allocate memory space for an IP packet no larger than 65,535 bytes. The host will reassemble the IP packet and place it in the allocated memory space. However, since this IP packet is oversized then the extra data will "overflow" the allocated memory space, thus causing a "buffer overflow". This will affect areas of memory allocated to other processes. If this happens to be executing code, the system will effectively be attempting to run corrupted code causing the system to either hang or crash. Okay so I accept that the problem lies with the reassembly process, but I couldn't agree that it has NOTHING to do with ICMP since it is the ICMP data field that holds the data which makes the IP packet oversized. Please correct me if I am wrong.
- The ICMP header does NOT have a field describing the length of the packet. This information is in the IP header, regardless if this is ICMP, UDP, TCP, or any other protocol. You could use the POD attack also with other types of protocols, which are not ICMP. Read section 1.2 in the link to insecure.org