mrb's blog

Live Demonstration of Intel "Packet of Death"

Keywords: bug networking security

Kristian Kielhofner has published interesting details about a bug affecting the Intel 82574L ethernet controller: a so-called "packet of death" that causes the Intel NIC to completely lose link status, until the next cold boot! Here is how you can reproduce the issue:

$ wget http://zorinaq.com/pub/intel-packet-of-death.txt

(If you just click the link to intel-packet-of-death.txt, it probably will not work, because you are already running a full-blown browser that downloaded kilobytes from zorinaq.com, see below.)

As soon as you run this command, your machine should lose network connectivity. In order to maximize the chance of reproducing the bug:

  • Run this command right after a cold boot, because the very first packet of 1152 bytes (or more) that it receives after a cold boot, with byte value 0x00-0x30,0x34-0xff at offset 0x47f, will inoculate the NIC until the next reboot. A desktop system typically downloads kilobytes of data when booting (utilities checking for updates, etc), so any of these large packets have a 253 out of 256 chance to inoculate it.
  • The HTTP response sent by zorinaq.com must be received by your computer as one or more packets where the first one is at least 1152-byte long (counting the Ethernet/IP/TCP/HTTP headers; my file assumes 14/20/20/0 bytes or more for these headers).
Comments

CloudShark wrote: We also uploaded the offending packet to our online packet viewer, CloudShark, with some notes on what to look for and links to Kristian's articles on the topic. Check it out here:

http://appliance.cloudshark.org/news/cloudshark-in-the-wild/intel-packet-of-death-capture/
07 Feb 2013 20:06 UTC

nuke wrote: Can you host a packet that inoculates the NIC? 09 Feb 2013 12:46 UTC

mrb wrote: nuke: replace every "2" character with "4" in the file. 09 Feb 2013 20:02 UTC