Ping of Death
Home > IT Answers > Security > Ping of Death
Alan Dala
30 pts.
0
Q:
Ping of Death
Firewalls, Ping, Remote access, T1, WAN, LAN
Hi,

I have a remote office connected over a T1 line to the main office with Cisco routers. The problem is that I get tons of logs in our main firewall that connects to the outside world saying "Ping of Death Blocked" The source of the attack is always an IP address(not always the same) from the remote office and the "Destination" is always one of our three Domain Controllers that reside in the main LAN. The remote office connects to the main LAN over the T1line for everything including Internet, DNS, AD.

Any help would be appreciated!
ASKED: Oct 28 2008  8:36 PM GMT
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
RELATED QUESTIONS
0
Labnuke99
26290 pts.
0
A:
 RATE THIS ANSWER
0
Click to Vote:
  •   0
  •  0
  • AddThis Social Bookmark Button
Almost all of the IP packet information can be forged. I would not consider the information accurate and of concern about the systems being compromised. Now, if you see this traffic on the inside, then I would think that is a problem. But since you say it is on the outside of your firewall, then your firewall is doing its job and blocking this unnecessary traffic. In fact, you should just block ICMP from the outside just to be safe.
Last Answered: Oct 28 2008  8:59 PM GMT by Labnuke99   26290 pts.
  •   
0
0
RSS - Discussions Help
Discuss This Answer:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _



_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Alan Dala   30 pts.  |   Oct 28 2008  9:45PM GMT

Thank you for your fast answer!

Both are private IP addresses and the T1 router for the remote office is not connected through the main firewall. Not sure if I should consider this as “inside” or not…

I did some testing and when I ping from a DC or any server :

ping 192.168.8.233 -l 44444, the ping is blocked and “Ping of death blocked 192.168.1.34, 8, LAN 192.168.8.233, 8, LAN” shows up in my main firewall.

What should I understand from this? That the remote subnet is communicating with the local DCs with packets larger than 1472 and they get blocked by the main firewall?

If yes, why and how can I fix that?

Thank you!

 

Labnuke99   26290 pts.  |   Oct 29 2008  12:45PM GMT

The ping of death is defined as a ping larger than 65,535 bytes. So, I’m not sure why the firewall is flagging this traffic as POD. I understand that the WAN configuration is a point to point T1 between the sites, but I don’t understand where the firewall falls into the traffic flow. It would be useful to have a diagram showing how the traffic flows between the sites and where the firewall is located in the logical traffic flow.

ICMP (PING) payload will be about 32 bytes from a Windows machine. The data section will be abcdefghijklmnopqrstuvwabcdefghi . So, if there are pings or ICMP larger than this something is rather strange. I would recommend getting Wireshark and capturing some of the traffic and see what it actually looks like. ICMP can be used as a covert traffic method to carry malicious traffic into and out of a network. That is why I suggest turning it off for inbound at a minimum.

 
0