With every technological advancement comes an increase in cyber security attackers and threats. In this article, we will discuss one of the types of DDoS attacks that attackers can use to disrupt service within a system: Ping of Death and ways to safeguard yourself against it.
What is Ping of Death
PING of Death is a denial of service (DoS) attack where attackers send large packets of data to a service beyond the required packet requirement, with the sole aim of crippling or making that particular service inaccessible to other users. RFC 791 specifies that the standard IP Packet required is 65,535 bytes.
Any amount of bytes above this could cause the system to freeze or crash when processing the request.
How does Ping of Death work?
Ping of death is caused by an oversized internet control message protocol (ICMP) packet being sent across a network.
A ping (Packet Internet or Inter-Network Groper) or ICMP echo-reply tests a particular network connection to validate if the network exists and can accept the request. This test is carried out by sending a ping, a piece of data, and expecting a response in return.
Based on the response, the status of the service is verified.
Attackers carry out the Ping of death DDoS attack by sending large packets, violating the RFC791 Internet protocol requiring a valid IPv4 packet of 65,535 bytes.
Attack cannot send packets larger than this size. Hence, they send packets in fragment, which, when the system assemble the packet, result in an oversized packet, causing the system to freeze, hence the name ping of death.
In 2018, the Democratic National Committee was hit with a DDoS attack. These attacks were carried out when the DNC and DCCC were either fundraising or had a candidate increase in popularity. DDoS attacks such as the ping of death are carried out to ensure disruption and can be used as a weapon in rivalry situations by competitors.
#2. Australian census attack
Australian Bureau of Statistics ABS 2016 suffered a DDoS attack, where citizens could not access the bureau’s website to participate in the census. The attackers’ PoD attack was targeted at congesting the network to block Australians from participating in the census.
#3. Whitehouse mistaken identity PoD attack
In 2001, a white house parody site, whitehouse.org, was a victim of the Ping of Death attack. The attacker’s target was the whitehouse.gov website, but they mistook it for whitehouse.org – a weak parody website.
Brook Talley, who discovered the attack, mentioned that for 13 hours, the website had received a large flood of ICMP echo requests. It was discovered that the aim of the attackers was to attack and cause a denial of service DoS on the whitehouse.gov site.
Best Practices to Stay Safe from a Ping of Death Attack
Attackers leverage vulnerabilities and loopholes within systems to gain access. Every system and service must ensure their systems are adequately safeguarded to maintain security and system flaws that could be leveraged. Below are some best practices that can help keep your system safe.
Keep your systems updated
Ensuring your system has the latest patch and update is the best practice. Updates and patches to the system are constantly being developed to ensure that all security issues are being fixed, and knowing that attackers leverage these security issues, keeping your system updated will help block this vulnerability.
The Ping of death attack leverages the transferring of packets. Each packet contains the header, which houses the source IP address, destination IP address, protocol, and port, while the data payload includes the data to be transmitted.
Adding a packet-filtering firewall help to filter packet being sent to the server from a client and ensure only packet that meets the required rule is being fulfilled. However, the downside is that the system could block legitimate requests.
One of the goals of DDoS attacks is to freeze the services from using legitimate requests. Segmenting your network is also a best practice, as it helps mitigate against an outright shortage of your service. Isolating critical services and data into various locations will make other resources available to be used as a fallback in the occurrence of an attack.
Continuous monitoring of network traffic and logs can be an early detection against many DDoS attacks, including ping of death. This helps you understand your system’s regular traffic from abnormal traffic and plan preventive measures to detect anomalous traffic flow.
Several companies are developing a solution to help mitigate or provide an early detection of these attacks. Integrating this service within your system can add a layer of protection to your system. Below are some of these solutions that could be leveraged.
Cloudflare is one of the leading solutions against DDoS attacks. It provides your system with a three-layer protection against attack in layers seven, the application layer (L4), and the network (L3).
Cloudflare offers Firewwall-as-a-service that helps set up rules and policies to mitigate against unwanted packet access. With the inbuilt monitoring system, Cloudflare continuously monitors network activities against any form of DDoS attack.
Imperva solution against DDoS attacks like PoD ships with instant notification against malicious activities, accessible and continuous monitoring of network traffic, and easy integration to SEIM tools. Impreva offers protection to the website, network, and individual IP protection.
Impreva can cut off malicious traffic through a system that runs all incoming traffic through Imperva scrubbing centers, ensuring that only legitimate requests are processed.
What is the difference between Ping of Death (PoD) and Smurf or SYN Flood Attack?
SYN Flood attack is a DDoS attack targeting the TCP handshaking process, unlike PoD, which targets ICMP. This attack involves the attacker sending a large number of TCP SYN (synchronization) packets with spoofed source IP addresses.
The system processes the response, allocates resources, and waits for the ACK (acknowledgment) from the client, which never gets sent. It consumes the system resource and blocks access to new requests from being processed.
Smurf attack, on the other hand, is also a DDoS attack that leverages on ICMP and IP broadcast address, in which many ICMP packets are broadcasted to a network with the victim’s IP address as the origin, making the network freeze.
Step to Take After in the Occurrence of a PoD Attack
In the event of a successful PoD attack, you must begin to work immediately to restore your system to its functional state. The longer your system/service is down, the more damage the PoD attack does to your system’s reputation. Below are some points to have in mind in the condition that this occurs.
It is crucial to be able to isolate different parts of your system. The goal of every attack is to gain access to a single vulnerability that will give access to the entire system. If this is not checked and done on time, and the attack can last longer with the system, more damage can be done.
Monitoring is vital to identifying abnormalities within a system. In the event of an attack, the source of the attack must be identified as fast as possible to ensure that the source is cut off from processing further damage because the longer the source remains, the larger the damage done.
Run system update
After an attack, it is crucial to check for any system updates and patches that have not been made since PoD primarily leverages vulnerabilities; these patches and updates are usually done to fix those bugs.
Plan and Monitor for a future attack
Planning for the occurrence of an attack helps an organization have a list of activities that are required to be done in the event of an incident. This helps mitigate the burden of not knowing what to do when an incident occurs. Continuous monitoring is critical to early detection of these attacks.
Reporting any attack is essential to ensure that the authorities are aware of the issue and help find and track down the attackers.
Security is an essential part and one of the keys to success as more services move to the cloud. Organizations offering services and solutions should ensure that they put in all measures on their part to avoid a leak for an attacker within their system.