38
4
While analyzing some traffic logs, I noticed a node pinging its gateway with a large ping packet size, ranging from 700 bytes to 1 MB. It's a constant ping from node to gateway and the size per ping is rather high. Does anyone know why this might be happening or if there is a benefit (possibly for testing purposes) to manipulating the PING size?
injector
Posted 2014-07-02T14:46:56.633
Reputation: 888
48
It's to ensure that the path taken can handle the large packet, not all routes have the same MTU throughout. Having a good MTU will also prevent IP fragmentation.
ratchet freak
Posted 2014-07-02T14:46:56.633
Reputation: 2 764
46
The only benefit of using a big load on a ping is to test the stability of the line. If a line fluctuates or goes offline with a high load, but not with a small load, a standard ping with just 32 bytes won't detect the problem.
LPChip
Posted 2014-07-02T14:46:56.633
Reputation: 42 190
5I wish I could accept both answers, as one supplements the other. Thank you. – injector – 2014-07-02T15:40:33.210
18Its okay. This comment is enough of a reward for me. :) – LPChip – 2014-07-02T15:42:13.487
9To add-on to this, when I previously worked for an ISP we would occasionally use larger packet sizes to help troubleshoot packet loss issues where our QoS system was inadvertently dropping the largest packets when the line was saturated. – Thebluefish – 2014-07-02T22:00:09.107
17
No one mentioned the PING OF DEATH??
A ping of death is a type of attack on a computer that involves sending a malformed or otherwise malicious ping to a computer. A correctly formed ping message is typically 56 bytes in size, or 84 bytes when the Internet Protocol [IP] header is considered. Historically, many computer systems could not properly handle a ping packet larger than the maximum IPv4 packet size. Larger packets could crash the target computer.
Generally, sending a 65,536-byte ping packet violates the Internet Protocol as documented in RFC 791, but a packet of such a size can be sent if it is fragmented; when the target computer reassembles the packet, a buffer overflow can occur, which often causes a system crash.
I don't think it's a widespread as it used to be, but if you want a purpose of a large ping packet, well, DDoS is one.
MDMoore313
Posted 2014-07-02T14:46:56.633
Reputation: 4 874
2Ah, the ol' Ping of Death (PoD) attack. Most modern OS's are no longer vulnerable to this type of attack. Also, most modern networking devices are no longer vulnerable to this type of attack.
Of note, the original scenario which I based my question around, was that a single internal node was pinging it's gateway. – injector – 2014-07-03T14:07:04.610
True, and I mentioned it's not as widespread as it used to be, however if you think every single piece of networking equipment is impervious to it, or that it isn't still used maliciously, you're sadly mistaken.
– MDMoore313 – 2014-07-03T14:11:00.6571You're referencing one Yahoo Answers post- therefore it must be true? We can agree to disagree. My comment still stands. Cheers and be well. – injector – 2014-07-03T14:18:09.943
4
Current systems are still vulnerable to this general type of attack: ICMP ECHO REQUEST can cause a denial of service condition on the Juniper SSG20, Vulnerability in ICMPv6 could allow Denial of Service (Windows Vista-8, Server 2008 and 2012).
– Daniel Beck – 2014-07-03T22:12:25.617The name Ping of Death is misleading, because the vulnerability is in how the last fragment is handled, and that doesn't even tell you what type of packet it is, since that is in the first fragment. If a host is vulnerable, you can attack it with any type of packet, as long as you send a corrupted last fragment. Also, this doesn't have anything to do with a DDoS attack. You don't need a distributed attack, when all you want to do is send one single corrupted packet. Finally, you can't reach 1MB with fragmented packets. The limit is 128KB in theory or 65.5KB in practice. – kasperd – 2014-07-04T00:06:57.783
@DanielBeck You're referencing ICMPv6, which relates to IPv6. Not IPv4, which is what the OP was referencing, but thanks for the references. More information is always appreciated. It's good to know that vulnerability has also been mitigated for most modern OS's. – injector – 2014-07-04T17:01:23.697
@Dark_Cyber Right, that's why I wrote general type of attack. I hope nobody chokes on the original anymore… – Daniel Beck – 2014-07-04T17:04:02.830
@DanielBeck with all these Arduino's and clones connecting to the net now, I'm sure more nodes are vulnerable than we'd like to think. – MDMoore313 – 2014-07-07T12:28:46.863
5
Just to offer another (unlikely) possibility - I don't have any context as to who is generating the log, and I don't know how often you are seeing these pings, but because you can put whatever you want into the ICMP/ping packets, they are occasionally used a covert communication channel, i.e. an ICMP/ping tunnel. Presumably you'd see frequent large-sized pings going out from (and possibly returning to) a given node, if someone is using a ping tunnel for some reason.
Paul
Posted 2014-07-02T14:46:56.633
Reputation: 477
1Constant PING from node to GW, on a 4-6 second interval. – injector – 2014-07-04T17:25:13.810
2I imagine that this particular case isn't a ping tunnel (4-6 seconds would be pretty long latency, and they apparently aren't receiving any pings), I think the other answers are better, but I figured I'd leave this suggestion here for posterity, in case someone in the future is puzzled by some bizarre pinging behavior and doesn't know about ping tunnels. – Paul – 2014-07-04T17:28:24.090
2@paul one way communication can be handy for spyware (for example key loggers sending the logged data) – ratchet freak – 2014-07-06T11:24:29.313
@ratchetfreak Good point. Probably spyware or other malware also wouldn't mind a 5 second sending interval, too. I suppose the question is whether the pings are aimed at the gateway or just ending up there. – Paul – 2014-07-06T12:15:35.650
@Paul it was a constant PING to the GW specifically. – injector – 2014-07-09T14:02:50.890
0
A bad router, even wired, can fail on large pings and succeed on small ones, until restarted, so it can be used for debugging issues like this one
Packet loss may be a result of a bad connection, and can't always be detected with a normal ping.
ping 208.67.222.222 -l 40096 -n 20 or on linux it's -s 40096
This pings a special server that allows large ping traffic, and looks for packet loss on the line. I had had packet loss on a wired line that prevented some traffic from going round trip.
Jonathan
Posted 2014-07-02T14:46:56.633
Reputation: 1 287
Why the downvote? – Jonathan – 2019-06-05T22:23:44.127
2Using a jumbo frame doesn't adequately validate that a jumbo frame will work. Most routers will simply fragment a larger frame if its MTU is lower (though some routers have options to discard in this instance). A ping using the don't fragment flag is more appropriate as it covers ALL instances where there is an interface with a smaller MTU than the packet sent. – MaQleod – 2014-07-02T18:41:56.173
1@MaQleod or it checks the fragmentation needed flag in the reply. – ratchet freak – 2014-07-02T20:05:39.573
1Some 10 years ago, I had to debug the default MTU of Windows, because the connection never worked to specific places. This was detectable by changing the ping packet size from the default value to bigger ones. Afaik 1500 was too much, and 1400 allowed normal operation (ADSL in Finland). – Juha Untinen – 2014-07-03T12:34:13.553
PPPoE (used often with DSL) adds an 8 byte header, so the MTU for PPPoE connections is typically 1492. – LawrenceC – 2014-07-04T00:01:33.627
@MaQleod It is quite clearly stated in the standards, that the decision about whether to fragment packets that were too large, is not to be made by routers. In IPv4 the sender decides if the packet is to be fragmented or if an error is to be returned to the sender. In IPv6 a router never fragments a packet, an error is always sent to the sender if a packet is too large. – kasperd – 2014-07-04T00:12:22.707