40

While analyzing some traffic logs, I noticed a node pinging its gateway with a large ping packet size, ranging from 700 bytes to 1 MB. It's a constant ping from node to gateway and the size per ping is rather high. Does anyone know why this might be happening or if there is a benefit (possibly for testing purposes) to manipulating the PING size?

Improve this question
0

5 Answers 5

Reset to default
49

It's to ensure that the path taken can handle the large packet, not all routes have the same MTU throughout. Having a good MTU will also prevent IP fragmentation.

Improve this answer
6
  • 2
    Using a jumbo frame doesn't adequately validate that a jumbo frame will work. Most routers will simply fragment a larger frame if its MTU is lower (though some routers have options to discard in this instance). A ping using the don't fragment flag is more appropriate as it covers ALL instances where there is an interface with a smaller MTU than the packet sent.
    – MaQleod
    Commented Jul 2, 2014 at 18:41
  • 1
    @MaQleod or it checks the fragmentation needed flag in the reply.
    – ratchet freak
    Commented Jul 2, 2014 at 20:05
  • 1
    Some 10 years ago, I had to debug the default MTU of Windows, because the connection never worked to specific places. This was detectable by changing the ping packet size from the default value to bigger ones. Afaik 1500 was too much, and 1400 allowed normal operation (ADSL in Finland).
    – Juha Untinen
    Commented Jul 3, 2014 at 12:34
  • PPPoE (used often with DSL) adds an 8 byte header, so the MTU for PPPoE connections is typically 1492.
    – LawrenceC
    Commented Jul 4, 2014 at 0:01
  • @MaQleod It is quite clearly stated in the standards, that the decision about whether to fragment packets that were too large, is not to be made by routers. In IPv4 the sender decides if the packet is to be fragmented or if an error is to be returned to the sender. In IPv6 a router never fragments a packet, an error is always sent to the sender if a packet is too large.
    – kasperd
    Commented Jul 4, 2014 at 0:12
47

The only benefit of using a big load on a ping is to test the stability of the line. If a line fluctuates or goes offline with a high load, but not with a small load, a standard ping with just 32 bytes won't detect the problem.

Improve this answer
3
  • 5
    I wish I could accept both answers, as one supplements the other. Thank you.
    – injector
    Commented Jul 2, 2014 at 15:40
  • 19
    Its okay. This comment is enough of a reward for me. :)
    – LPChip
    Commented Jul 2, 2014 at 15:42
  • 9
    To add-on to this, when I previously worked for an ISP we would occasionally use larger packet sizes to help troubleshoot packet loss issues where our QoS system was inadvertently dropping the largest packets when the line was saturated.
    – BlueBuddy
    Commented Jul 2, 2014 at 22:00
17

No one mentioned the PING OF DEATH??

A ping of death is a type of attack on a computer that involves sending a malformed or otherwise malicious ping to a computer. A correctly formed ping message is typically 56 bytes in size, or 84 bytes when the Internet Protocol [IP] header is considered. Historically, many computer systems could not properly handle a ping packet larger than the maximum IPv4 packet size. Larger packets could crash the target computer.

Generally, sending a 65,536-byte ping packet violates the Internet Protocol as documented in RFC 791, but a packet of such a size can be sent if it is fragmented; when the target computer reassembles the packet, a buffer overflow can occur, which often causes a system crash.

I don't think it's a widespread as it used to be, but if you want a purpose of a large ping packet, well, DDoS is one.

Improve this answer
8
  • 2
    Ah, the ol' Ping of Death (PoD) attack. Most modern OS's are no longer vulnerable to this type of attack. Also, most modern networking devices are no longer vulnerable to this type of attack. Of note, the original scenario which I based my question around, was that a single internal node was pinging it's gateway.
    – injector
    Commented Jul 3, 2014 at 14:07
  • True, and I mentioned it's not as widespread as it used to be, however if you think every single piece of networking equipment is impervious to it, or that it isn't still used maliciously, you're sadly mistaken.
    – MDMoore313
    Commented Jul 3, 2014 at 14:11
  • 1
    You're referencing one Yahoo Answers post- therefore it must be true? We can agree to disagree. My comment still stands. Cheers and be well.
    – injector
    Commented Jul 3, 2014 at 14:18
  • 4
    Current systems are still vulnerable to this general type of attack: ICMP ECHO REQUEST can cause a denial of service condition on the Juniper SSG20, Vulnerability in ICMPv6 could allow Denial of Service (Windows Vista-8, Server 2008 and 2012).
    – Daniel Beck
    Commented Jul 3, 2014 at 22:12
  • The name Ping of Death is misleading, because the vulnerability is in how the last fragment is handled, and that doesn't even tell you what type of packet it is, since that is in the first fragment. If a host is vulnerable, you can attack it with any type of packet, as long as you send a corrupted last fragment. Also, this doesn't have anything to do with a DDoS attack. You don't need a distributed attack, when all you want to do is send one single corrupted packet. Finally, you can't reach 1MB with fragmented packets. The limit is 128KB in theory or 65.5KB in practice.
    – kasperd
    Commented Jul 4, 2014 at 0:06
5

Just to offer another (unlikely) possibility - I don't have any context as to who is generating the log, and I don't know how often you are seeing these pings, but because you can put whatever you want into the ICMP/ping packets, they are occasionally used a covert communication channel, i.e. an ICMP/ping tunnel. Presumably you'd see frequent large-sized pings going out from (and possibly returning to) a given node, if someone is using a ping tunnel for some reason.

Improve this answer
5
  • 1
    Constant PING from node to GW, on a 4-6 second interval.
    – injector
    Commented Jul 4, 2014 at 17:25
  • 2
    I imagine that this particular case isn't a ping tunnel (4-6 seconds would be pretty long latency, and they apparently aren't receiving any pings), I think the other answers are better, but I figured I'd leave this suggestion here for posterity, in case someone in the future is puzzled by some bizarre pinging behavior and doesn't know about ping tunnels.
    – Paul
    Commented Jul 4, 2014 at 17:28
  • 2
    @paul one way communication can be handy for spyware (for example key loggers sending the logged data)
    – ratchet freak
    Commented Jul 6, 2014 at 11:24
  • @ratchetfreak Good point. Probably spyware or other malware also wouldn't mind a 5 second sending interval, too. I suppose the question is whether the pings are aimed at the gateway or just ending up there.
    – Paul
    Commented Jul 6, 2014 at 12:15
  • @Paul it was a constant PING to the GW specifically.
    – injector
    Commented Jul 9, 2014 at 14:02
1

A bad router, even wired, can fail on large pings and succeed on small ones, until restarted, so it can be used for debugging issues like this one

Packet loss may be a result of a bad connection, and can't always be detected with a normal ping.

ping 208.67.222.222 -l 40096 -n 20 or on linux it's -s 40096

This pings a special server that allows large ping traffic, and looks for packet loss on the line. I had had packet loss on a wired line that prevented some traffic from going round trip.

Improve this answer
1
  • Why the downvote?
    – Jonathan
    Commented Jun 5, 2019 at 22:23

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .