The ping of death is a denial-of-service (DoS) attack. It works by sending a single malformed, oversized packet to a target computer, causing it to crash, freeze, or reboot. Unlike attacks that overwhelm a system with sheer traffic volume, the ping of death exploits a flaw in how computers reassemble fragmented data packets, making it more of a precision strike than a brute-force flood.
How the Attack Works
Every packet sent over the internet using IPv4 has a maximum allowed size of 65,535 bytes. That limit exists because the length field in the packet header is 16 bits long, and 2^16 minus 1 equals 65,535. Normally, when a packet is too large to travel across a network in one piece, it gets split into smaller fragments. Each fragment carries information about where it belongs in the original packet, stored in a 13-bit “fragment offset” field in its header. The receiving computer collects all the fragments and reassembles them into the full packet.
The ping of death abuses this fragmentation process. An attacker crafts a series of fragments where the final piece has the maximum possible offset (65,528 bytes) but carries far more data than the remaining 7 bytes that would keep the reassembled packet within the 65,535-byte limit. Individually, each fragment looks perfectly normal and passes through routers without issue. But when the target computer tries to reassemble them, the resulting packet exceeds 65,535 bytes. On systems that didn’t check for this, the oversized packet would overflow the memory buffer allocated to hold it, crashing the system.
What Happens to the Target System
When a vulnerable machine receives and reassembles the oversized packet, the extra data spills into adjacent memory. The consequences vary depending on the operating system, but common outcomes include complete system crashes, spontaneous reboots, kernel panics (the operating system’s equivalent of a fatal error), and general instability that forces a restart. The attack doesn’t steal data or gain access to the system. Its only goal is to knock the target offline.
Ping of Death vs. ICMP Flood
Both attacks fall under the denial-of-service umbrella, but they work in fundamentally different ways. A ping of death sends one or a few carefully crafted packets designed to trigger a software bug. An ICMP flood, by contrast, bombards a target with a massive volume of normal, legitimate ping requests to exhaust its processing power and bandwidth. Think of it this way: the ping of death is picking a lock, while an ICMP flood is ramming the door with a truck. The ping of death requires a specific vulnerability in the target’s networking code; an ICMP flood just requires more traffic than the target can handle.
Which Systems Were Vulnerable
The ping of death first appeared in 1996 and quickly became notorious for crashing machines running Windows 95 and Windows NT. It wasn’t limited to Windows, though. Many operating systems of that era, along with routers and other network devices, failed to validate the total size of reassembled packets. The attack became a symbol of the growing threat that DoS attacks posed as internet adoption exploded in the late 1990s.
Most modern operating systems patched this vulnerability decades ago by adding a simple check during reassembly: if the sum of the fragment offset and the fragment’s data length exceeds 65,535 bytes, the fragment gets discarded. That one validation step neutralizes the classic attack entirely.
The IPv6 Variants
The original vulnerability targeted IPv4, but similar bugs have surfaced in IPv6 implementations. In 2013, a flaw in how Windows handled malformed IPv6 ping packets allowed remote denial-of-service attacks. Microsoft patched it that August. In 2020, a more serious bug was found in how Windows processed certain IPv6 router advertisement messages. That one was particularly dangerous because it could potentially allow an attacker to run code on the target machine, not just crash it. Both vulnerabilities have been patched, but they demonstrate that the underlying concept of exploiting packet-handling flaws remains relevant even in modern protocols.
How Modern Systems Defend Against It
Today’s defenses operate at multiple levels. Operating systems validate fragment sizes during reassembly, which stops the classic attack cold. But network firewalls add another layer by inspecting ICMP traffic before it ever reaches your devices. Modern firewalls can reject packets that are fragmented, unusually large, or arriving in suspicious patterns. Many include built-in DoS protection modules that automatically detect and drop repeated ping bursts or abnormal packet sizes from a single source.
For network administrators, the key settings are usually found under labels like “DoS protection,” “intrusion prevention,” or “ICMP control” in firewall configuration panels. Enabling these features and disabling unused ICMP message types (like timestamp and redirect) reduces the attack surface. Most enterprise-grade firewalls ship with these protections enabled by default, so the ping of death in its original form is largely a historical curiosity. The concept it proved, that a single malformed packet can bring down an entire system, shaped how operating systems and network equipment handle untrusted input to this day.