TERENA Networking Conference, May 22-25, 2000 6
ping will not allow an invalid datagram like this to be
sent. Among the exceptions are Windows ’95 and Win-
dows NT, although they are certainly not the only ones.
An echo message is sent inside the IP packet [2], consist-
ing of eight octets of ICMP header information followed
by the number of data octets in the ping request. Hence,
the maximum allowable size of the data area is 65535 - 20
- 8 = 65507 octets.
It is possible to send an “illegal” echo with more than
65507 octets of data, due to the way the fragmentation is
done. The fragmentation relies on an offset value in each
fragment to determine where the individual fragment goes
upon reassembly. Thus, on the last fragment it is possi-
ble to combine a valid offset with a suitable fragment size
such that (offset + size) > 65535. Since typical machines
do not process the packet until they have all fragments and
have tried to reassemble it, there is the possibility for over-
flow of 16 bit internal variables, which can lead to system
crashes, reboots, or kernel dumps.
If no OS patch is available, and the main concern is
ping from outside the network, the best quick-fix solu-
tion is to block ping at the firewall. A better solution
than blocking all ICMP echoes is to block only frag-
mented ones. This will allow the common 64 byte pings
through on almost all systems, while blocking any bigger
than the MTU size of a link.
“Smurf” attacks
The “smurf” attack (documented in [7]) is the most recent
in the category of network-level attacks against Internet
hosts. An aggressor sends a large amount of ICMP echo
traffic at broadcast addresses, all of it having a spoofed
source address of the victim. The situation is illustrated in
Figure 4. If the routing device delivering traffic to those
broadcast addresses performs the “IP broadcast to layer 2
broadcast” function, most hosts on that IP network will
take the ICMP echo and reply to it with an echo reply each,
multiplying the traffic by the number of responding hosts.
On a multi-access broadcast network, there could poten-
tially be hundreds of machines to reply to each packet.
There are two parties which are hurt by this attack: the
intermediary (broadcast) devices and the spoofed address
target, the victim machine. The victim is the target of
a large amount of traffic the broadcast devices generate.
The initiators of these attacks rely on the ability to “source
spoof” traffic to the intermediary broadcast networks in or-
der to generate the traffic which causes denial of service.
To stop this, all networks should perform source address
checks either at the edge of the network where users con-
nect or at the edge of the network with connections to the
Internet. These checks will defeat the possibility of source
spoofed packets from entering from leaf networks, or leav-
ing for Internet (see Figure 4). To stop being an intermedi-
ary we have to take into account the fact that this attack re-
lies on the ability of the router serving a large multi-access
broadcast network to frame an IP broadcast address into a
layer two broadcast address. The router may have an op-
tion to disable receiving traffic directed to network-prefix
addresses and must have an option to disable forwarding
broadcasts directed to network-prefix addresses.
Hosts can be patched to refuse to respond to broadcast
ICMP echoes. [3] specifies that ICMP echoes for an IP
broadcast or an IP multicast address may be silently dis-
carded. This neutral stipulation results from a passionate
debate between those who feel that echoes to a broadcast
address provides a valuable diagnostic capability and those
who feel that misuse of this feature can too easily create
packet storms.
E. Security Failure Messages
These messages indicate failures when using IP Secu-
rity Protocols (AH and ESP). As [8] states, for a statically
configured Security Association (SA), these messages in-
dicate that the related SA has to be manually reconfigured,
or that an unauthorized operation is attempted. Security
failure messages may also be used to trigger automated
negotiation of session-keys.
The DoS attacks performed using ICMP messages usu-
ally succeed because the receiver of such messages does
not maintain enough information on the communication
the messages should be related to. Therefore, security fail-
ure messages have to be carefully verified to ascertain that
they include information that matches a previously sent
datagram. Besides, [8] advises that, when a prior SA be-
tween the parties has not expired, these messages should
be sent with authentication. A dynamic SA must not be
established, though for the only purpose to authenticate
security failures, since this could be used for a very seri-
ous DoS attack. A target host may be flooded with forged
IPsec packets from random IP Sources and have it start
up numerous useless key management session to authenti-
cally inform the presumed senders of the error.
Security failures provide sufficient data to determine
that they are in response to previously sent messages.
Therefore, a recipient can accept all authenticated and
unauthenticated security failure messages, since accurate
check of the message content gives enough information to
validate the message. This is due to the fact that secu-
rity failures are slightly different from other ICMP mes-
sages: besides the IP header of the original packet, they
also contain all IPsec headers that were present in the orig-
inal packet. These headers would give enough information