This is a technical issue, not my standard EL fare. If you're much good at networking and care to take a shot at it, I'd appreciate it .... otherwise, there's a good game going on word association (http://www.phpbuilder.com/board/showthread.php?threadid=10252226&goto=newpost) in another thread :D

The question at hand: what do most OSes do when hit by large packets?

One of my clients has a server that "locks up" occasionally; typically it's a busy Monday or Friday, (but I'm just conjecturing here....)

Anyway, I decided to try and crash it remotely. It was surprisingly easy; too easy, in fact, but as soon as I did it the whole shop went, "Hey! What happened?"

The tactic? "ping -s 2048 hostname" ... a log of the session is attached in case you care to take a look. 2 pages printed; MS-DOSWin users, beware, the LF's are Unix....

The bottom line ... what do most OSes do when hit with a big packet? What *should* they do? And, what the heck did this one do?

<sigh> I just love Mondays.

Bwahahahahaaaaa! The Ping of Death lives!

As I understand it, they should be up to the task of buffering (up to available memory of course - but I think a 256MB ping would be noticed somewhere) and discarding it if it appears "faulty" or, if it's being sent on and is too large, it's supposed to be subdivided (in any manner appropriate) into smaller packets.

But it's been years since I paid sufficient attention to TCP/IP to be a quotable source on that.

Bwahahahahaaaaa! The Ping of Death lives!LOL, yes; but IIRC, the actual "ping of death" was 65536 bytes, not 2048 ...

This should be "ping of slight wince from hangnail" instead. Thanks for your answer, either way ... :)

I'm gonna send this to my FreeBSD lists (please note, that the receiving machine was *not* a BSD, but the attacker was....) I've pretty well decided to talk to the people that wrote this OS. And to the person that wrote the application that has to run on it. And the people that wrote the Windows client that connects to it, etc., etc., etc. It'd be much more fun to actually sit down and code some PHP instead.... :cool:

Visiting Netcraft, I found that their (the OS vendor's) web site runs on this OS as well (of course, you say --- but I would really wonder, if this is characteristic, why they'd bother).... If they don't listen to me ... hmm, I wonder if I could send a packet that big from my sourceforge shell account? Nah, don't have root there ... maybe a dial-up from some customer's location :eek:

Hi,
my hint is to setting up a good firewall to block ping and other services not needed...

But surely ping 2048 is not a so "large packets"... maybe is a net problem, and
not an OS problem...

Good luck...

Originally posted by dalecosp
LOL, yes; but IIRC, the actual "ping of death" was 65536 bytes, not 2048 ... The "ping of slight wince from hangnail" (or the "ping of seeing rude gesture" or the "ping of ragged end of toenail that snags the sheets when you're getting into bed") ... yes, it should be broken into multiple packets if too large; I've used it to determine MTU sizes on unknown hosts; ping with a large packet, and then gradually reduce the size of the packet until it's no longer fragmented. No, I wouldn't expect this exercise to crash the host :)

[Edit; just played around this this from here; I found the machine simply started timing out (to that ping request) at 12927 bytes.

Pinging my FBSD machine on the loopback or on its LAN interface, I can get up to a packet size of 65007 bytes; anything greater returns a "ping: packet size too large" error message.

Pinging a Windows XP machine on the private LAN, a 25152 byte packet seems to be the largest that elicits a response. After that, just packet loss, but AFAIK at least the box is still up.

It just simply amazed me that so simple an attack as this one could disrupt client-server operations (and the print spooler) for the entire shop. We had to cycle the power to get the spooler going again ... but that was probably due to our ignorance of the operating system. After my "attack", I went to the console, and by the time I figured out how to get a command prompt, I could ping out again, but no print services ....

I'm going to put a sniffer on the wire right next to that box today; I've also contacted the OS vendor with a tenative "what advice can you give to assist us is addressing this issue" note --- of course, what I wish is I could kick the thing into the ocean; I really wish I'd been a bit more forceful about my opinion of unknown OSes when they bought the system; but this client was about 40% of my business for last year (boy, I need to expand) and as I know little about the widgets they sell, and "lots of people in that field use this SW", I sat back and let 'em buy into it.... :(

Bottom line, my client's not happy, so I'm not either.... Thanks to both of y'all for your help!!