Ping -l 100000 some.poor.host

Ping -l 100000 some.poor.host

Post by gorma.. » Tue, 23 Sep 1997 04:00:00



If ping -l 65510 some.poor.host causes some structures in memory to be
overwritten which may cause the host to crash, why not just send a
ping of 100000 bytes causing an even bigger area in memory to be
over written? Why not send a 1MB ping? This is bound to be even
more powerful. Or is the 65510 special for some reason?

Regards,
Rob

 
 
 

Ping -l 100000 some.poor.host

Post by James Harv » Tue, 23 Sep 1997 04:00:00



> If ping -l 65510 some.poor.host causes some structures in memory to be
> overwritten which may cause the host to crash, why not just send a
> ping of 100000 bytes causing an even bigger area in memory to be
> over written? Why not send a 1MB ping? This is bound to be even
> more powerful. Or is the 65510 special for some reason?

Ping uses ICMP echo requests which must fit in a single IPv4 datagram.
The maximum length of an IPv4 datagram is 2^16-1 (65,535), because the
length field in a IPv4 header is 16 bits.

There are patches out for most operating systems to, ummm, handle these
more robustly.  Some routers may be configured to junk them.  When some
clown started doing this on one of our more important subnets, we just
disabled ICMP echo requests at the router.
--


 
 
 

Ping -l 100000 some.poor.host

Post by Greg Crowd » Tue, 23 Sep 1997 04:00:00


: If ping -l 65510 some.poor.host causes some structures in memory to be
: overwritten which may cause the host to crash, why not just send a
: ping of 100000 bytes causing an even bigger area in memory to be
: over written? Why not send a 1MB ping? This is bound to be even
: more powerful. Or is the 65510 special for some reason?
:
: Regards,
: Rob

I may be wrong in this, but I do believe it is because 65510
is the largest packet sized allowed on most systems.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+Greg Crowder                   "It's unlucky to be behind at the end of +

+Tech support:                                                           +

+voice:(707) 547-3400            Shetland ponies." -Lewis Grizzard  +
+                                                                        +
+  Key fingerprint =  50 11 39 96 C8 75 77 94  5E 66 DA 0C 62 A0 68 84   +
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 
 
 

Ping -l 100000 some.poor.host

Post by Roger Boo » Wed, 24 Sep 1997 04:00:00


: There are patches out for most operating systems to, ummm, handle these
: more robustly.  Some routers may be configured to junk them.  When some
: clown started doing this on one of our more important subnets, we just
: disabled ICMP echo requests at the router.

We have finally disable ICMP also.  Someone was pinging one of our Class
C's with an XXX.XXX.XXX.0, which caused everything to answer up.  This
was occuring 10+ times a second with a different originating IP adx every
time.

Roger
----------------------------------------------------------------------
The reply-to: address in the headers is a valid address, if you want
to send me e-mail just hit reply and it should work fine.  If your
newsreader is broken and can't deal with that then send your e-mail

----------------------------------------------------------------------

 
 
 

Ping -l 100000 some.poor.host

Post by gorma.. » Wed, 24 Sep 1997 04:00:00





>> If ping -l 65510 some.poor.host causes some structures in memory to be
>> overwritten which may cause the host to crash, why not just send a
>> ping of 100000 bytes causing an even bigger area in memory to be
>> over written? Why not send a 1MB ping? This is bound to be even
>> more powerful. Or is the 65510 special for some reason?

>Ping uses ICMP echo requests which must fit in a single IPv4 datagram.
>The maximum length of an IPv4 datagram is 2^16-1 (65,535), because the
>length field in a IPv4 header is 16 bits.

Ok, a summary of what I know.

1) The maximum size of the IP datagram is 65535 bytes.

2) A ping -l 65510 causes some unix systems to crash because the 65510
bytes of data AND the IP header exceeds 65535 by a few bytes.

What I'm saying is that if the maximum size can be exceeded by a few
bytes and cause an overflow, whats stoping it from being exceeded by
a few thousand bytes?

The ping -l 65510 exploit works because it and the IP header exceeds
65535 bytes. This means this maximum size can be exceeded! Yet the
existance of a maximum size is the reason people are saying a ping -l
100000 won't work? I'm confused...

Regards,
Rob

 
 
 

Ping -l 100000 some.poor.host

Post by James Harv » Wed, 24 Sep 1997 04:00:00


        [my yanmmering deleted, snip]
        [snip]

Quote:> What I'm saying is that if the maximum size can be exceeded by a few
> bytes and cause an overflow, whats stoping it from being exceeded by
> a few thousand bytes?

        [snip]

See http://www.sophist.demon.co.uk/ping/index.html for a better explanation.
This site claims to be in the process of being moved to a site in the States,
but unfortunately that site is currently unregistered and unreachabled from
my site...
--

 
 
 

Ping -l 100000 some.poor.host

Post by Roger Boo » Thu, 25 Sep 1997 04:00:00


I believe the reason you use 65510 is because the broken ping runs on
Win95.  There is a size comparison but they made it too large.  So
a 65510 is within the comparison size so it takes it, puts the headers
on it, and watches the remote machine (possibly) explode.  If you enter
10K it tells your packet size is too large.  

Do note this is heresay.  I haven't actually tried it.

Roger
----------------------------------------------------------------------
The reply-to: address in the headers is a valid address, if you want
to send me e-mail just hit reply and it should work fine.  If your
newsreader is broken and can't deal with that then send your e-mail

----------------------------------------------------------------------

 
 
 

Ping -l 100000 some.poor.host

Post by Matthew Wilc » Thu, 25 Sep 1997 04:00:00


: Ok, a summary of what I know.

: 1) The maximum size of the IP datagram is 65535 bytes.

: 2) A ping -l 65510 causes some unix systems to crash because the 65510
: bytes of data AND the IP header exceeds 65535 by a few bytes.

: What I'm saying is that if the maximum size can be exceeded by a few
: bytes and cause an overflow, whats stoping it from being exceeded by
: a few thousand bytes?

: The ping -l 65510 exploit works because it and the IP header exceeds
: 65535 bytes. This means this maximum size can be exceeded! Yet the
: existance of a maximum size is the reason people are saying a ping -l
: 100000 won't work? I'm confused...

Okay, what happens is that the ICMP packet has a maximum size of 2^16-1.
This is encapsulated in an IP packet, which also has a maximum size of
2^16-1.  However, there's an extra header which takes up more space.  So
if an IP stack believes the lies that are told to it, it will reassemble
the fragmented packet in a way that will overwrite something that it
shouldn't have.

Moral: All data coming over a network is untrustworthy.  Don't believe it.

--
"I was absolutely horrified to see a book entitled 'C++ for dummies'.  What
is the potential market for this book?  What programmer considers themself
to be a dummy?  Who wants to run code written by a dummy?  And perhaps
more importantly, someone who *considers themselves* to be a dummy?"

 
 
 

Ping -l 100000 some.poor.host

Post by Scott » Thu, 02 Oct 1997 04:00:00


I believe the point was that the UNIX ping command won't let you specify
anything higher than 65535 bytes. But you can execute a 65510 byte ping
with the standard command.

So if you are root on the machine, you could send an extremely large
packet via a hacked ping, but if you're not root, you can still try a ping
of death that isn't as large.

(I think this has been fixed in certain versions of ping, or I'm wrong
about what you can send.. I just tried it on my RedHat system and it
doesn't like anything bigger than 65468 bytes... Anyway...)




> Ok, a summary of what I know.

> 1) The maximum size of the IP datagram is 65535 bytes.

> 2) A ping -l 65510 causes some unix systems to crash because the 65510
> bytes of data AND the IP header exceeds 65535 by a few bytes.

> What I'm saying is that if the maximum size can be exceeded by a few
> bytes and cause an overflow, whats stoping it from being exceeded by
> a few thousand bytes?

> The ping -l 65510 exploit works because it and the IP header exceeds
> 65535 bytes. This means this maximum size can be exceeded! Yet the
> existance of a maximum size is the reason people are saying a ping -l
> 100000 won't work? I'm confused...

> Regards,
> Rob

 
 
 

Ping -l 100000 some.poor.host

Post by Matt Farm » Fri, 03 Oct 1997 04:00:00


[This followup was posted to comp.security.unix and a copy was sent to
the cited author.]



Quote:> (I think this has been fixed in certain versions of ping, or I'm wrong
> about what you can send.. I just tried it on my RedHat system and it
> doesn't like anything bigger than 65468 bytes... Anyway...)

To my knowledge very few "vanilla" pings shipped with Un*x`s, follow the
IPv4 standard which means that you cannot send a ping of 65510 bytes, it
gets rejected in preference for a standard ping packet size.

The main reason the "Ping of death" caused problems, was that un*x`s
didn`t check the size of the recieved Datagram, and copied the payload
into a *PRE-SIZED* buffer, then inline with the ICMP Echo request spec,
this packet is copied WITH IP headers into a new IP frame for
transmission back to the originator, this *REPLY* packet exceeds the
buffer, and in the good ol` unix tradition, you get a overrun, into
kernel space, causing an amazing variety of problems ....




> > Ok, a summary of what I know.

> > 1) The maximum size of the IP datagram is 65535 bytes.

> > 2) A ping -l 65510 causes some unix systems to crash because the 65510
> > bytes of data AND the IP header exceeds 65535 by a few bytes.

The IP packet size is 65535, the problem is caused elsewhere in the ping
process...... read below

Quote:> > What I'm saying is that if the maximum size can be exceeded by a few
> > bytes and cause an overflow, whats stoping it from being exceeded by
> > a few thousand bytes?

> > The ping -l 65510 exploit works because it and the IP header exceeds
> > 65535 bytes. This means this maximum size can be exceeded! Yet the
> > existance of a maximum size is the reason people are saying a ping -l
> > 100000 won't work? I'm confused...

> > Regards,
> > Rob

The ICMP echo request sequence of action on receipt is:

1> Copy entire recieved IP "ping" packet to Memory, (pre allocated 65535
bytes)
2> Setup a response packet (pre allocated 65535 bytes)
3> Copy entire received "Ping" packet (with IP headers !!) to response
packet payload
4> Memory overrun.....
5> Behave strangely......

This adherence to the Letter of the ping spec has now been fixed by most
flavours of unix, (has wonderfull affects on Windoze 3.1 boxes if sent to
broadcast tho..), in fact recent versions of Linux / FreeBSD log these,
with originator addresses !!

Hope this helps explain the above and why a 1Mb ping would simply be
rejected, AND NOT proccessed.... if you don`t believe me try it !!!

Matt
------------------ signature start ------------------

London. UK   | "Do, or do not, there is no try" Yoda
-----------------------------------------------------
The views represented within this message our mine, and
mine alone, they do not represent those of my employer,
or indeed anyone else I know... so there !! :-)

 
 
 

Ping -l 100000 some.poor.host

Post by scsimo » Sat, 04 Oct 1997 04:00:00




>I believe the point was that the UNIX ping command won't let you specify
>anything higher than 65535 bytes. But you can execute a 65510 byte ping
>with the standard command.

>So if you are root on the machine, you could send an extremely large
>packet via a hacked ping, but if you're not root, you can still try a ping
>of death that isn't as large.

>(I think this has been fixed in certain versions of ping, or I'm wrong
>about what you can send.. I just tried it on my RedHat system and it
>doesn't like anything bigger than 65468 bytes... Anyway...)




>> Ok, a summary of what I know.

>> 1) The maximum size of the IP datagram is 65535 bytes.

>> 2) A ping -l 65510 causes some unix systems to crash because the 65510
>> bytes of data AND the IP header exceeds 65535 by a few bytes.

>> What I'm saying is that if the maximum size can be exceeded by a few
>> bytes and cause an overflow, whats stoping it from being exceeded by
>> a few thousand bytes?

>> The ping -l 65510 exploit works because it and the IP header exceeds
>> 65535 bytes. This means this maximum size can be exceeded! Yet the
>> existance of a maximum size is the reason people are saying a ping -l
>> 100000 won't work? I'm confused...

>> Regards,
>> Rob

On many *nix systems, there are patches available so that if you recieve a
packet over 65535 bytes it automatically fragments it so that it can be
read.(thus the Ping O' Death is a bit old).

scsimodo

 
 
 

1. Strange network problems - pings to host are fine, pings from host fail

Sorry for the long post - I've tried to outline the symptoms of my
problem, and what I've tried to fix it.

I'm having some networking problems with a PC running an old version of
Red Hat (kernel 2.2).  The PC came with a machine we have bought
second-hand - as far as I know, everything was working before the
machine was moved to our company.

To keep things simple, we have the Red Hat machine connected to a
Windows XP machine that came with it, with only a simple switch in
between.  Each machine is set up with a fixed IP address on the same
network.

 From the XP machine, I can ping the Red Hat machine reliably and
quickly.  From the Red Hat machine, pings to the XP machine /generally/
fail - typically there are about 80%-90% failures.  Those pings that
don't fail, are fast (reply time about 1 ms).  On the XP machine, it's
easy to see the packet counters showing packets in and replies out.  On
the Red Hat machine, ifconfig shows similar packet rx and tx counts, and
zero error counts.

arping to the XP machine from the Red Hat machine is reliable and fast.

When we try a browser on the XP machine and address the web server on
the Red Hat host, there is generally a long pause (perhaps minutes),
then suddenly the page appears.

We have tried using another Linux box in place of the original XP
machine, with the same results from the Red Hat system.

We have tried replacing the cables and switch, with no effect - given
that arpings are working perfectly it's hard to see how it could be a
hardware problem.

I'm not very familiar with Red Hat or a 2.2 kernel (my experience is
mostly with Debian and related distros, and with 2.4 and 2.6 kernels).
But "ipchains -L" shows no firewalling (everything accepted), "ifconfig"
and "route -n" have the expected setup, and I could not stop anything
unexpected with "sysctrl".

One of my colleagues will try a different network card this evening.

Any ideas or tips would be much appreciated.  We've tried pretty much
every sensible idea we can think of, so I'm ready to listen to any crazy
or unlikely tricks.

mvh.,

David

2. Problem with 16550A FIFO?

3. how to building 100000 users account mail server .

4. Executing a program on startup

5. Can't ping the host name or host IP address from host.

6. static route ?

7. can't ping host or host IP from host ?

8. Apache setup

9. ping <ipv6-host> does not work, ping <ipv6-ip> does

10. Can't ping local host but can ping others

11. could ping by numeric ip,BUT cant ping by hosts name

12. Get 'cannot connect to host', yet can ping remote host!!

13. nslookup works, ping <host> replies unknown host