Copyright 2022 - CSIM - Asian Institute of Technology

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


CERT(sm) Advisory CA-96.26
Original issue date: December 18, 1996
Last revised: --

Topic: Denial-of-Service Attack via ping
- -----------------------------------------------------------------------------

The CERT Coordination Center has received reports of a denial-of-service
attack using large ICMP datagrams. Exploitation details involving this
vulnerability have been widely distributed.

The CERT/CC team recommends installing vendor patches as they become

We will update this advisory as we receive additional information. Please
check advisory files regularly for updates that relate to your site.

- -----------------------------------------------------------------------------
I.   Description

     The TCP/IP specification (the basis for many protocols used on the
     Internet) allows for a maximum packet size of up to 65536 octets (1 octet
     = 8 bits of data), containing a minimum of 20 octets of IP header
     information and 0 or more octets of optional information, with the rest
     of the packet being data. It is known that some systems will react in an
     unpredictable fashion when receiving oversized IP packets. Reports
     indicate a range of reactions including crashing, freezing, and

     In particular, the reports received by the CERT Coordination Center
     indicate that Internet Control Message Protocol (ICMP) packets issued via
     the "ping" command have been used to trigger this behavior. ICMP is a
     subset of the TCP/IP suite of protocols that transmits error and control
     messages between systems. Two specific instances of the ICMP are the ICMP
     ECHO_REQUEST and ICMP ECHO_RESPONSE datagrams. These two instances can be
     used by a local host to determine whether a remote system is reachable
     via the network; this is commonly achieved using the "ping" command.

     Discussion in public forums has centered around the use of the "ping"
     command to construct oversized ICMP datagrams (which are encapsulated
     within an IP packet). Many ping implementations by default send ICMP
     datagrams consisting only of the 8 octets of ICMP header information but
     allow the user to specify a larger packet size if desired.

     You can read more information about this vulnerability on Mike
     Bremford's Web page. (Note that this is not a CERT/CC maintained
     page. We provide the URL here for your convenience.)


II.  Impact

     Systems receiving oversized ICMP datagrams may crash, freeze, or
     reboot, resulting in denial of service.

III. Solution

     First, since crashing a router or firewall may be part of a larger,
     multistage attack scenario, we encourage you to inspect the running
     configuration of any such systems that have crashed to ensure that the
     configuration information is what you expect it to be.

     Then install a patch from your vendor.

     Below is a list of vendors who have provided information about
     patches for this problem. Details are in Appendix A of this
     advisory; we will update the appendix as we receive more
     information. If your vendor's name is not on this list, please
     contact the vendor directly.

           Berkeley Software Design, Inc. (BSDI)
           Computer Associates, Intl. (products for NCR)
           Cray Research
           Digital Equipment Corporation
           Free BSD, Inc.
           Hewlett-Packard Company
           IBM Corporation
           Linux Systems
           NEC Corporation
           Open Software Foundation (OSF)
           The Santa Cruz Operation, Inc. (SCO)
           Sun Microsystems, Inc.


Appendix A - Vendor Information

Below is a list of the vendors who have provided information for this
advisory. We will update this appendix as we receive additional information.
If you do not see your vendor's name, please contact the vendor directly.

Berkeley Software Design, Inc. (BSDI)
  BSD/OS 2.1 is not vulnerable to this problem.  It correctly handles
  large packets without any problems.

Computer Associates, Intl.
(products for NCR)

   Not vulnerable.

Cray Research
  Attempts to send oversized ICMP datagrams are rejected with
  appropriate error messages.  We believe that oversized ICMP datagrams
  sent to Unicos systems will also be rejected without crashing.

Digital Equipment Corporation
  MSG ID: SSRT0429 From DSNlink/DIA Database

  The following is important information concerning a potential denial of
  service issue which affects Digital UNIX Operating System, Digital UNIX
  MLS+, Firewall implementations, and Digital TCP/IP Services for OpenVMS AXP &

  COMPONENT:  System Security / Potential Denial of Service

  DIGITAL UNIX     Version: 3.0, 3.0b, 3.2, 3.2c, 3.2de1, 3.2de2,
                            3.2f, 3.2g, 4.0, 4.0a
  DIGITAL UNIX MLS+ Version 3.1a
  DIGITAL TCP/IP Services for OpenVMS AXP & VAX Versions - 4.0, 4.1
  DIGITAL ULTRIX Versions 4.3, 4.3a, 4.4, 4.5
  DIGITAL Firewall for UNIX
  DIGITAL AltaVista Firewall for UNIX

  For more information check the DSNlink/DIA Articles (keyword PING), or the
  URL for the latest


     Digital recently discovered a potential denial of service issue that
     may occur by remote systems exploiting a recently published problem while
     executing the 'ping' command. Solutions and initial communications
     began appearing in DSNlink/DIA FLASH/articles in late October, 1996.



     Digital has reacted promptly to this reported problem and a complete
     set of patch kits are being prepared for all currently supported

  The Digital patches may be obtained from your local Digital support
  channel or from the URL listed above. Please refer to the applicable README
  notes information prior to the installation of patch kits on your system.


  Copyright (c) Digital Equipment Corporation, 1996, All Rights Reserved.
  Unpublished Rights Reserved Under The  Copyright Laws Of The United States.

Free BSD, Inc.
  We have fixed the problem in 2.1.6 and -current.

Hewlett-Packard Company

  For HP9000 Series 700 and 800 systems, apply the appropriate patch.
  See Hewlett-Packard Security Bulletin #000040 (HPSBUX9610-040) for further
  details. The bulletin is available from the HP SupportLine and

          Patch Name(Platform/OS)   | Notes
          PHNE_9027 (s700 9.01)     : PHNE_7704 must first be installed
          PHNE_9028 (s700 9.03/5/7) : PHNE_7252 must first be installed
          PHNE_9030 (s700 10.00)    :             No patch dependencies
          PHNE_9032 (s700 10.01)    : PHNE_8168 must first be installed
          PHNE_9034 (s700 10.10)    : PHNE_8063 must first be installed
          PHNE_9036 (s700 10.20)    :             No patch dependencies
          PHNE_8672 (s800 9.00)     : PHNE_7197 must first be installed
          PHNE_9029 (s800 9.04)     : PHNE_7317 must first be installed
          PHNE_9031 (s800 10.00)    :             No patch dependencies
          PHNE_9033 (s800 10.01)    : PHNE_8169 must first be installed
          PHNE_9035 (s800 10.10)    : PHNE_8064 must first be installed
          PHNE_9037 (s800 10.20)    :             No patch dependencies

  For our MPE operating system, patches are in process. Watch for the issuance
  of our MPE security bulletin.

IBM Corporation

  See the appropriate release below to determine your action.

  AIX 3.2
    Apply the following fix to your system:

       APAR - IX59644 (PTF - U444227 U444232)

    To determine if you have this PTF on your system, run the following

       lslpp -lB U444227 U444232

  AIX 4.1
    Apply the following fix to your system:

        APAR - IX59453

    To determine if you have this APAR on your system, run the following

       instfix -ik IX59453

    Or run the following command:

       lslpp -h

    Your version of should be or later.

  AIX 4.2
    Apply the following fix to your system:

        APAR - IX61858

    To determine if you have this APAR on your system, run the following

       instfix -ik IX61858

    Or run the following command:

       lslpp -h

    Your version of should be or later.

  IBM SNG Firewall

      NOTE: The fixes in this section should ONLY be applied to systems
      running the IBM Internet Connection Secured Network Gateway (SNG)
      firewall software.  They should be applied IN ADDITION TO the IBM
      AIX fixes listed in the previous section.

     IBM SNG V2.1
         APAR - IR33376 PTF UR46673

     IBM SNG V2.2
         APAR - IR33484 PTF UR46641

  To Order
    APARs may be ordered using Electronic Fix Distribution (via FixDist)
    or from the IBM Support Center.  For more information on FixDist,
    reference URL:

    or send e-mail to This email address is being protected from spambots. You need JavaScript enabled to view it. with a subject of "FixDist".

  IBM and AIX are registered trademarks of International Business Machines

Linux Systems

  We recommend that you upgrade your Linux 1.3.x and 2.0.x kernels to Linux
  2.0.27. This is available from all the main archive sites such as

  Users wishing to remain with an earlier kernel version may download a
  patch from This patch will work with
  2.0.x kernel revisions but is untested with 1.3.x kernel revisions.

  Red Hat Linux has chosen to issue a 2.0.18 based release with the fix. Red
  Hat users should obtain this from

NEC Corporation
- --------------------------------------------------------------------------
       OS               Version        Status
- ------------------   ------------   -------------------------------------
EWS-UX/V(Rel4.0)     R1.x - R6.x    not vulnerable
EWS-UX/V(Rel4.2)     R7.x - R10.x   not vulnerable
EWS-UX/V(Rel4.2MP)   R10.x          not vulnerable
UP-UX/V              R1.x - R4.x    not vulnerable
UP-UX/V(Rel4.2MP)    R5.x - R7.x    not vulnerable
UX/4800              R11.x          not vulnerable
- --------------------------------------------------------------------------

see Computer Associates, Intl.

Open Software Foundation (OSF)
  OSF's OSF/1 R1.3.3 maintenance release includes a solution for this

The Santa Cruz Operation, Inc. (SCO)
  The following SCO products are known to be vulnerable:

  SCO OpenServer 5.0.0, 5.0.2
  SCO Internet FastStart 1.0.0, 1.1.0
  SCO Open Desktop 3.0
  SCO TCP/IP 1.2.1 on SCO Unix System V/386 Release 3.2 Version 4.2

  The symptoms encountered vary greatly and seem to be related to the type
  of network interface device being used. Support Level Supplement (SLS) OSS449
  is being developed for use with the following releases:

  SCO OpenServer 5.0.0, 5.0.2
  SCO Internet FastStart 1.0.0, 1.1.0.

  This SLS will be available in the near future. Watch the following URL for
  availability information of SLS OSS449:


  Should more information become available for either SCO's OpenServer or
  UnixWare products, SCO will provide updated information for this advisory.

Sun Microsystems, Inc.
  We are looking into this problem.


- -----------------------------------------------------------------------------
The CERT Coordination Center staff thanks AUSCERT, the Australian Computer
Emergency Response Team, and DFN-CERT, the German team, for their
contributions to this advisory, and we thank Mike Bremford for permission to
cite the information he has made available to the community.
- -----------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (see

CERT/CC Contact Information
- ----------------------------
Email    This email address is being protected from spambots. You need JavaScript enabled to view it.

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
                and are on call for emergencies during other hours.

Fax      +1 412-268-6989

Postal address
         CERT Coordination Center
         Software Engineering Institute
         Carnegie Mellon University
         Pittsburgh PA 15213-3890

Using encryption
   We strongly urge you to encrypt sensitive information sent by email. We can
   support a shared DES key or PGP. Contact the CERT/CC for more information.
   Location of CERT PGP key

Getting security information
   CERT publications and other security information are available from

   CERT advisories and bulletins are also posted on the USENET newsgroup

   To be added to our mailing list for advisories and bulletins, send your
   email address to
        This email address is being protected from spambots. You need JavaScript enabled to view it.

- ---------------------------------------------------------------------------
Copyright 1996 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and the copyright statement is

CERT is a service mark of Carnegie Mellon University.
- ---------------------------------------------------------------------------

This file:
               click on "CERT Advisories"

Revision history

Version: 2.6.2


Powered by: MHonArc

Login Form


School of Engineering and technologies     Asian Institute of Technology