Great Circle Associates Firewalls
(November 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Ping of Death
From: Jesse Whyte <jesse @ psa . pencom . com>
Date: Thu, 14 Nov 1996 17:16:21 -0600 (CST)
To: Irwin Lazar <lazar @ netevolve . com>
Cc: firewalls @ GreatCircle . COM
In-reply-to: <3 . 0b28 . 32 . 19961114145601 . 006a8718 @ netevolve . com> 
Unfortunately, the problem wasn't just with the Microsoft implementations 
of ping.  Certain Linux implementations would preload packets to "flood" 
the intended recipient with pings, and in some cases, it appears that the 
flood not only crashed OS's, but crashed firewalls that were supposedly 
fail safe.  Particularly, Firewall-1 demonstrated problems under the load 
and apparently the rule base was not consulted when a telnet was 
attempted during the ping storm.  The moral of the story is clear, don't 
allow ICMP to your firewall...

Jesse

****************************************************************
Jesse Whyte
Computer/Network Security Consultant
Pencom Systems Administrator
H: (301) 220-1744 
W: (703) 450-3427 

On Thu, 14 Nov 1996, Irwin Lazar wrote:

> Apologies if I missed a discussion on the Ping of Death.
> I just got word of this from a co-worker but I haven't seen it discussed in
> this forum yet.
> 
> Apparently sending ping's of over 64k to certian OS's causes them to crash.
>  We were able to crash an HP-UX machine running 9.0 here.
> 
> Here is the scoop from PC Week dated 11/12/96.
> 
> 'Ping of Death' security flaw discovered.  By Norvin Leach
> 
>                             A large number of operating systems and network
>                             firmware may be vulnerable to a newly discovered
>                             TCP/IP flaw called the "Ping of Death," which
>                             overloads and crashes a system by sending
>                             excessively large packets.
> 
>                             Information on the flaw can be found at
>                             http://www.sophist.demon.co.uk/ping/.
> 
>                             According to the posting, most of the affected
> systems
>                             are Unix-based, although Windows NT 3.51 users
> have
>                             reported problems, as have users of NetWare 3.x.
> 
>                             Hewlett-Packard Co. has posted a patch for certain
>                             versions of HP-UX. Other companies, including
>                             SunSoft Inc., are working on patches for affected
>                             versions of their operating systems.
> 
>                             Patches are also available for AIX, Linux,
> Digital Unix
>                             and OpenVMS.
> 
> (Note that some firewalll vendors can block extra large pings, firewall-1
> for one.  Check the above Web site for a lot more details).
> 
>
References:
Indexed By Date Previous: InfoSec organization
From: Alain Zarinelli <zarinala @ pionet . net>
Next: Re: FW-1 documentation mistake.
From: David Murray <dmurray @ camtech . com . au>
Indexed By Thread Previous: Ping of Death
From: Irwin Lazar <lazar @ netevolve . com>
Next: Re: Ping of Death
From: Jesse Whyte <jesse @ psa . pencom . com>
Google
 
Search Internet Search www.greatcircle.com