ICMP nukes (‘Click’ attacks) are an old method of denial-of-service (or ‘DoS’) attacks that involve the use of corrupted ICMP – Internet Control Message Protocol – packets to shut down connections. This is accomplished by using an altered ping program to repeatedly sending the corrupt data to the target. This overloads the target until it ceases to function, effectively smothering it with data.
Another example of this DDoS attack involves sending a misleading ICMP message to a server to cause it to disconnect a connected machine, claiming that its connection has already been dropped. Given ICMP’s place as a key part of internet infrastructure, safeguarding against ICMP nuking was difficult, since nuking itself was possible through an exploit in ICMP and internet architecture.
WinNuke is the best known nuke, which affected the Windows 95, Windows NT, and Windows 3.1x operating systems. This particular exploit hit the target computer with an out-of-band data string through TCP port 139, forcing a Blue Screen of Death. The attack was harmless to data on the victim’s hard drive, but still inconvenienced them with the crash, causing them to lose unsaved data. The malicious ICMP packets contained an Urgent Pointer that the named operating systems processed incorrectly.
A programmer known by the screenname “_eci” released the exploit source code in C in summer of 1997. Its distribution mobilized Microsoft to release security patches. For a time, WinNuke thrived under numerous names in many incarnations.
Once effective safeguards had been created against WinNuke in its past incarnations, it reemerged years later when a similar exploit was found.