Wednesday, August 14, 2013

Security: what's old is new again

A great introduction to security bugs is the old, old (1990s) "ping of death".  It shows the disconnect between how software developers think and how security researchers probe and test the limits.

Quick background: ping is an old, old network test tool from the 1980s.  It sends a network packet to a destination you specify, and the destination replies.  Basically it's a "can you hear me now?"/"Sure can" test.  The name refers to sonar, and the film Hunt For Red October shows the use of that in a decidedly non-network context. You can run this yourself, if you get a DOS shell (Command prompt).  Type "ping a.b.c.d" (where the IP address goes in place of the a.b.c.d).

The problem that was discovered in the 1990s was that if instead of sending 56 bytes of ping data, if you sent 64,536 bytes, some systems would crash.  The responding system was supposed to return all received ping data, and this much data caused the packet to get fragmented and some computer operating systems simply couldn't deal with this.  The system would go down when it received one of those "ping of death" packets.

Nothing has been vulnerable to ping of death for years and years.  Until now.  Microsoft's Patch Tuesday has an update for the next generation IP (IPv6) that fixes the new, old ping of death:
MS13-065 is another interesting item in this month’s lineup. It addresses a vulnerability in the Windows TCP/IP stack for IPv6. A few ICMPv6 packets with Router Advertisements requests can cause a Denial of Service vulnerability reminiscent of the famous “Ping-of-Death.” It’s a good illustration of how much we still do not know about the stability of IPv6. We continue to recommend turning off IPv6 on workstations if your network is not engineered for its use. Take into account that a number of home networks already have IPv6 and that your corporate machines might be exposed to this attack vector already.
Retro exploits FTW!


Stephanie Belser said...

Sorry, I lost track of where I posted the original comment.

I still get a Kaspersky flag on your blog. It seems to be a photo from, the file name is 8u0PzE8.jpg.

Josh Kruschke said...

Ping is also what Gamers do to find out the latency between their computer and the hosting server.