A Ping of Death (PoD) is a DoS attack caused by an attacker sending oversized or malformed packets using a PING command to a targeted computer or service. A PING operates by sending ICMP echo request packets to the host and waiting for an Internet Control Message Protocol (ICMP) echo reply; it measures the round-trip time for messages sent from the host to target that are echoed back to the source.
A ping of death attack occurs when an attacker sends an IP packet bigger than the 65,536 bytes allowed by the TCP/IP protocol (a set of rules to send and receive messages at the information packet level and the Internet address level). One of the central features of the TCP/IP protocol is fragmentation: it allows a single IP packet to be broken into smaller segments. Attackers began to take advantage of fragmentation in 1996 when they discovered that a packet broken into fragments could add up to a greater amount than the allowed 65,536 bytes. Many historical operating systems couldn’t handle the larger packet sizes, and on receiving them, after attempting to reassemble the fragments, many froze, crashed, or rebooted. The bug hit a wide range of operating systems including Mac, Windows, Linux, plus networks devices such as routers and printers.
Ping of death attacks were alarming partly because the attacker’s identity could be easily spoofed, and they only needed to know a target machine’s IP address in order to launch an attack. By the end of 1997, operating system vendors had issued patches to avoid the ping of death. Even today, many websites block PING messages at the firewall stage to prevent any variation of this kind of DoS attack. This is not always a desired long-term mitigation approach as it prevents legitimate PING use, used for example, to test if connections are live. Another approach is to selectively block fragmented PINGs, allowing PING traffic to pass through.
Unpatched systems remain vulnerable to PoD attacks. A popular variant of PoD attacks are Ping Floods, in which the targeted system is hit with a flood of ICMP packets sent via PING without waiting for replies.
Ping of death is also known as “long ICMP.”