What is a Ping of Death (PoD) attack?

Table of Contents 4 sections

What is a Ping of Death Attack?

A Ping of Death (PoD) attack is a type of denial-of-service attack that exploits a vulnerability in how systems handle oversized ICMP (Internet Control Message Protocol) packets. The attack involves sending a ping packet that, when reassembled, exceeds the maximum allowable IP packet size of 65,535 bytes. When the target system attempts to reassemble this oversized packet, it can cause a buffer overflow, leading to system crashes, freezes, or reboots.

The Ping of Death was one of the earliest and most well-known network attacks, first gaining widespread attention in the late 1990s. At that time, many operating systems including Windows, Linux, and macOS did not properly validate the size of incoming ICMP packets during reassembly, making them vulnerable to this straightforward but devastating attack.

How the Ping of Death Works

Under normal circumstances, a ping packet (ICMP Echo Request) is 64 bytes in size, well within the maximum IP packet size of 65,535 bytes. The Ping of Death attack crafts a packet that exceeds this maximum. Since IP packets are fragmented for transmission and reassembled at the destination, the attacker sends a series of fragments that are individually valid but combine to form an oversized packet.

When the target system receives all fragments and attempts to reassemble them into a complete packet, the resulting data exceeds the allocated buffer size. This buffer overflow can corrupt adjacent memory, crash the networking stack, or cause the entire operating system to become unresponsive. The simplicity of the attack made it particularly dangerous, as it required minimal technical skill and only a single crafted packet to bring down a vulnerable system.

Historical Impact and Modern Relevance

During the late 1990s, the Ping of Death caused significant disruption across the internet. Major operating system vendors quickly released patches to validate packet sizes during reassembly, and by the early 2000s, most modern systems were immune to the original attack. The vulnerability became a landmark example of why input validation is critical in protocol implementations.

However, variations of the Ping of Death have resurfaced over the years. In 2013, a variant affected certain versions of Microsoft Windows (CVE-2013-3183), and in 2020, the "Ping of Death v2" (CVE-2020-16898) exploited a flaw in how Windows handled ICMPv6 Router Advertisement packets. These recurring vulnerabilities demonstrate that the fundamental concept behind the Ping of Death remains relevant even in modern systems.

Preventing Ping of Death Attacks

Modern operating systems include built-in protections against oversized ICMP packets, validating fragment sizes during reassembly and discarding packets that exceed the maximum IP packet size. Keeping systems fully patched is the most important defence against Ping of Death variants, as new vulnerabilities in packet handling are discovered periodically.

Firewalls can be configured to inspect and filter fragmented ICMP packets, blocking those with suspicious size characteristics. Rate-limiting ICMP traffic and dropping malformed packets at the network perimeter provides an additional layer of protection. For critical infrastructure, deploying intrusion detection systems that alert on oversized or anomalous ICMP traffic helps identify and respond to potential Ping of Death attempts before they reach vulnerable systems.