What is the purpose of using a large ping packet?
Solution 1
It's to ensure that the path taken can handle the large packet, not all routes have the same MTU throughout. Having a good MTU will also prevent IP fragmentation.
Solution 2
The only benefit of using a big load on a ping is to test the stability of the line. If a line fluctuates or goes offline with a high load, but not with a small load, a standard ping with just 32 bytes won't detect the problem.
Solution 3
No one mentioned the PING OF DEATH??
A ping of death is a type of attack on a computer that involves sending a malformed or otherwise malicious ping to a computer. A correctly formed ping message is typically 56 bytes in size, or 84 bytes when the Internet Protocol [IP] header is considered. Historically, many computer systems could not properly handle a ping packet larger than the maximum IPv4 packet size. Larger packets could crash the target computer.
Generally, sending a 65,536-byte ping packet violates the Internet Protocol as documented in RFC 791, but a packet of such a size can be sent if it is fragmented; when the target computer reassembles the packet, a buffer overflow can occur, which often causes a system crash.
I don't think it's a widespread as it used to be, but if you want a purpose of a large ping packet, well, DDoS is one.
Solution 4
Just to offer another (unlikely) possibility - I don't have any context as to who is generating the log, and I don't know how often you are seeing these pings, but because you can put whatever you want into the ICMP/ping packets, they are occasionally used a covert communication channel, i.e. an ICMP/ping tunnel. Presumably you'd see frequent large-sized pings going out from (and possibly returning to) a given node, if someone is using a ping tunnel for some reason.
Related videos on Youtube
05 : 45
11 : 08
03 : 35
02 : 54
11 : 56
injector
Updated on September 18, 2022Comments
-
injector over 1 year
While analyzing some traffic logs, I noticed a node pinging its gateway with a large ping packet size, ranging from 700 bytes to 1 MB. It's a constant ping from node to gateway and the size per ping is rather high. Does anyone know why this might be happening or if there is a benefit (possibly for testing purposes) to manipulating the PING size?
-
injector almost 10 yearsI wish I could accept both answers, as one supplements the other. Thank you.
-
LPChip almost 10 yearsIts okay. This comment is enough of a reward for me. :) -
MaQleod almost 10 yearsUsing a jumbo frame doesn't adequately validate that a jumbo frame will work. Most routers will simply fragment a larger frame if its MTU is lower (though some routers have options to discard in this instance). A ping using the don't fragment flag is more appropriate as it covers ALL instances where there is an interface with a smaller MTU than the packet sent.
-
ratchet freak almost 10 years@MaQleod or it checks the fragmentation needed flag in the reply.
-
Thebluefish almost 10 yearsTo add-on to this, when I previously worked for an ISP we would occasionally use larger packet sizes to help troubleshoot packet loss issues where our QoS system was inadvertently dropping the largest packets when the line was saturated.
-
Juha Untinen almost 10 yearsSome 10 years ago, I had to debug the default MTU of Windows, because the connection never worked to specific places. This was detectable by changing the ping packet size from the default value to bigger ones. Afaik 1500 was too much, and 1400 allowed normal operation (ADSL in Finland). -
injector almost 10 yearsAh, the ol' Ping of Death (PoD) attack. Most modern OS's are no longer vulnerable to this type of attack. Also, most modern networking devices are no longer vulnerable to this type of attack. Of note, the original scenario which I based my question around, was that a single internal node was pinging it's gateway.
-
MDMoore313 almost 10 yearsTrue, and I mentioned it's not as widespread as it used to be, however if you think every single piece of networking equipment is impervious to it, or that it isn't still used maliciously, you're sadly mistaken. -
injector almost 10 yearsYou're referencing one Yahoo Answers post- therefore it must be true? We can agree to disagree. My comment still stands. Cheers and be well.
-
HikeMike almost 10 yearsCurrent systems are still vulnerable to this general type of attack: ICMP ECHO REQUEST can cause a denial of service condition on the Juniper SSG20, Vulnerability in ICMPv6 could allow Denial of Service (Windows Vista-8, Server 2008 and 2012).
-
injector almost 10 years@DanielBeck You're referencing ICMPv6, which relates to IPv6. Not IPv4, which is what the OP was referencing, but thanks for the references. More information is always appreciated. It's good to know that vulnerability has also been mitigated for most modern OS's.
-
HikeMike almost 10 years@Dark_Cyber Right, that's why I wrote general type of attack. I hope nobody chokes on the original anymore…
-
injector almost 10 yearsConstant PING from node to GW, on a 4-6 second interval.
-
Paul almost 10 yearsI imagine that this particular case isn't a ping tunnel (4-6 seconds would be pretty long latency, and they apparently aren't receiving any pings), I think the other answers are better, but I figured I'd leave this suggestion here for posterity, in case someone in the future is puzzled by some bizarre pinging behavior and doesn't know about ping tunnels. -
ratchet freak almost 10 years@paul one way communication can be handy for spyware (for example key loggers sending the logged data)
-
injector almost 10 years@Paul it was a constant PING to the GW specifically.
-
Jonathan almost 5 yearsWhy the downvote?
