Denial of Service Attacks (Part 2): The Ping of Death

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
you in this video I'd like to talk about an old attack such as a fairly old attack that goes by the somewhat ominous sounding name thing of death and in this attack with the attacker basically does is you can cause a remote system to crash by sending it just a single malformed Internet Protocol or IP packet now I do want to emphasize here that that all the modern operating system really anything passed around I would say 1997 1998 someone that timeframe obvious is patched against this particular attack and so I mean it's not like it's going to work nowadays but at the same time I think you know these types of attacks they are of historical interest and we kind of phrase that they are of historical interest and I think in general it's good to kind of understand older attacks in part because you can understand why certain technologies are designed the way they are today and moreover you don't by understanding the old attacks you're less likely to let's say repeat the mistakes of the past ok so we kind of dive right in so in a ping of get what the attacker is going to do is he's going to create what's called an ICMP echo request so ICMP echo request and this is also known in today's parlance the ping and in fact most people call it a pay really anybody called call it an ICMP echo request but I think it's good to kind of understand what the formal terminology is and end so normally you know pay packets are used for figuring out whether systems are up and running and you allow you to determine information about the round-trip latency of any communication with that particular system and it's a good thing to do in general and typically ping packets are quite small they don't take up a lot of spot a lot of size just because they're really there to give you kind of a heartbeat or status about the the remote system and obviously many remote systems given the kind of ostensibly innocuous nature of pings most remote systems do respond to ping requests so they do accept ping packets from from anybody they don't really block who who sends them ping packets ok now even though ping packets are small and practice in theory they can actually get quite big and so according to RFC 7 91 which is the the RFC that corresponds to the the IP protocol you can actually have any IP packet can be up to 65,536 bytes in length and part of that is is going to be taken up by a header okay and then you'll also have what are called IP options and then aside from the header options you'll have your actual data that's kind of roughly the format of an IP packet okay now what the attacker is going to do is he's basically going to craft an IP packet that is bigger than this it's going to track an IP packet that it's bigger than 65,536 bytes now you may be asking well how can the attacker do this directly given that it violates the IP standard I mean we'll listen how it just be blocked but it turns out that what you can do is you can rely on a technique and the attackers do this we rely on a technique known as fragmentation fragmentation and what fragmentation basically allows you to do and actually fragmentation is used in the context of of the physical transport of a packet so typically when you're transporting let's say let's say an IP packet you may actually have physical limitations when you transport it and one of those physical limitations is something called the path maximum transmission unit or the MTU okay and some networks have a fixed MTU size so for example if you're transmitting something over the ethernet which is typically your kind of your local wired network that would have a path MTU of about 1,500 or 1,000 or much smaller than the 65,536 bytes you're allowed to with a single IP packet and in general most networks will have a path MTU that it's smaller from that allowed than the maximum allowable by the IP standard and so as a result when you have something that's even bigger than me than the path MTU that packet is going to get fragmented okay and when IP a package of five mintues are basically broken up into little pieces okay so you get a bunch of little pieces and each little piece each little piece will contain inside of it it'll contain in addition to kind of the standard IP it will contain an offset okay and it's going to contain the actual data the payload itself and the idea is that by looking at the offset the offset is sort of an index if you were to reconstruct the original IP packet from the fragments you can do so by using the offset okay so now let's imagine that this this this packet has basically been fragmented and it's being transported and now it's arriving at some type of a remote host and let let's imagine here's the remote a remote host is a computer that is receiving this ping request okay this is kind of obviously a kind of an old looking computer and the ping is an old attack so maybe that's kind of fitting but imagine the receiving computer is receiving this packet the first thing it's going to want to do is it's going to want to reconstruct the original IP packet from all these different fragments and so you can imagine that it's going to take all the different offsets and figure out what the original packet would look like and obviously this was this packet was kind of too big in the first place imagine that that this offset here was really big imagine it's offset with something close to the maximum possible offset and the data was was quite a lot or maybe more than than you would normally have been allowed to via just IP when you try to reconstruct the packet from the fragments what you're going to get you're going to get a much bigger packet than you're allowed essentially quite a lot bigger so it's going to be something exceeding 65536 bytes okay and as a result what's going to happen next is when this is actually we constructed the system itself is going to run into issues because it was not expecting something this big actually the real maximum I should be very careful here is actually 65535 and so it's going to be expected to see something that's no bigger than 65,535 bytes when it tries to reconstruct it it's going to effectively overflow various internal memory structures from typically your memory buffers gonna get overflowed and that can typically just cause the syste system to crash completely okay and as you can imagine you know that's it's not a good thing and it's a very simple attack to carry out which is what made it very popular because it was quite simple to just go ahead and send this single single malformed packet and cause the system to crash now obviously the fix is as you can imagine is fairly straightforward it's just what you would basically do is you would add an extra error check inside of during your packet reassembly and in particular what you would do is you would you would basically take a look at the offset itself and you would took it take a look at the length of the actual data okay and you would basically try to ensure that the offset plus the length of the actual data that's provided in that fragment would be less than or equal to 65535 and if it's not then you know that the packet is too big and if you're checking for this then you won't end up I guess assembling or reassembling a packet that is that is too big for what you're allowed and I also want to make one last point before I end this video which is that even though this is called a ping of death even though it's about ICMP really at its core the problem here is not something that's let's say isolated ICMP just fundamentally was fundamentally taking advantage of a packet reassembly issues in reality if if packet reassembly was done in a more intelligent way are done with extra error checks in place then you would never have had this attack it wasn't something that was maybe specific to ping it just was was more of a general packet reassembly issue anyway I hope you found that interesting this is at a historic attack and I think that uh nowadays um there there are so many security technologies that detect it operating systems no longer allow it but I think it's helps to understand why security technologies evolve the way they did and why operating systems of all the way they did I hope you enjoyed this video and I look forward to making some more thanks a lot
Info
Channel: Sourcefire
Views: 33,432
Rating: 4.8476191 out of 5
Keywords: ddos, denial of service, dos attack, ddos attack, ping of death
Id: Y8k_UGCiA6Y
Channel Id: undefined
Length: 8min 36sec (516 seconds)
Published: Tue Apr 02 2013
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.