Hakin9 - Hard Core IT Security Magazine

Access:

» ICMP use and abuse

Related categories: Security | Networks | Firewalls

Antonio Merola
Viewed: 12574 | Article date: 2006-04-24 14:41:53

We describe how to use ICMP protocol and how it can be used by intruders for evil purposes. We present all ICMP protocols, their meaning and ways in which can be used. We explain how to configurate firewall to protect our system against attacks.

ICMP is often regarded as a very innocent, harmless protocol. However, if not properly handled by the operating system or a firewall, it can be used by intruders for evil purposes.

About the author

Antonio Merola works as a senior security expert for Telecom Italia. During his professional career, he has been involved in many aspects of security. As a freelancer he serves several companies as a consultant and instructor on a wide variety of security topics. He has published IT articles in several Italian magazines. His recent interests include honeypots and IDS/IPS security solutions.

ICMP stands for Internet Control Message Protocol. It's in charge of delivering messages about non-transient error conditions. RFC specification and ICMP features are outlined in RFC 792. Table 1 contains a list of RFC documents concerning ICMP. ICMP is used for example when a host receives a UDP request on a non-listening port, or when IP fragmentation is required and the DF bit is set (see Frame IP Fragmentation and ICMP). It is involved in reporting error conditions and querying the network.

What you will learn...

details on how ICMP works and what it's used for,
how ICMP can be used for reconnaissance, fingerprinting, covert channels, DoS and MITM attacks,

which ICMP message types can be used for malicious purposes and how,
how ICMP can disturb TCP connections,
how to protect against ICMP abuse.

What you should know...

how to use the *NIX operating system,

you should have basic knowledge about TCP/IP.

While ICMP is encapsulated in IP datagrams like transport protocols such as TCP or UDP (OSI layer 4), it is a network-layer protocol (OSI layer 3) like the IP protocol itself. ICMP is an integral part of IP, does not use a client-server scheme or port numbers, can be broadcasted and gives no guarantees about the delivery of a message. The most important data in the ICMP protocol are message type and message code for the specified message type. These two numbers are included in the first two bytes of the ICMP header (see Figure 1). Table 2 defines various ICMP types and codes.

IP fragmentation and ICMP

IP datagrams are encapsulated in frames, the size of a datagram is restricted due to the limit

of every transmission media, this size is known as MTU (Maximum Transmission Unit) and

if it is greater than this limit, then it must be fragmented. An IP datagram can be prevented from fragmentation, by setting the DF - Don't Fragment flag in the IP header. If a router receives a packet too large for it to forward, packet is just fragmented and passed through, while if the DF bit is set the packet is dropped and an ICMP type 3 (destination unreachable), code 4 (fragmentation

needed but don't-fragment bit set) is returned back to the sender. This tells the sender host that it needs to reduce the size of its packets in order to get through; the MTU of the next hop is included in the ICMP message so the sender knows how big packets can be.

Table 1. ICMP-related RFC documents

RFC 792	Internet Control Message Protocol
RFC 896	Source Quench
RFC 950	Address Mask Extensions
RFC 1122	Requirements for Internet Hosts - Communication Layers
RFC 1191	Path MTU Discovery
RFC 1256	Router Discovery
RFC 1349	Type of Service in the Internet Protocol Suite
RFC 1812	Requirements for IP version 4 Routers

Figure 1. ICMP message format

Table 2. ICMP types and codes

Type	Name	Code
0	Echo reply	0 - No code
1	Unassigned	0 - No code
2	Unassigned	0 - No code
3	Destination unreachable	0 - Net unreachable 1 - Host unreachable 2 - Protocol unreachable 3 - Port unreachable 4 - Fragmentation needed and Don't fragment was set 5 - Source route failed 6 - Destination network unknown 7 - Destination host unknown 8 - Source host isolated 9 - Communication with destination network is administratively prohibited 10 -Communication with destination host is administratively prohibited 11 - Destination network unreachable for type of service 12 - Destination host unreachable for type of service 13 - Communication administratively prohibited 14 - Host precedence violation 15 - Precedence cutoff in effect
4	Source quench	0 - No code
5	Redirect	0 - Redirect datagram for the network (or subnet) 1 - Redirect datagram for the host 2 - Redirect datagram for the type of service and network 3 - Redirect datagram for the type of service and host
6	Alternate host address	0 - Alternate address for host
7	Unassigned	0 - No code
8	Echo request	0 - No code
9	Router advertisement	0 - No code
10	Router selection	0 - No code
11	Time exceeded	0 - Time to Live exceeded in transit 1 - Fragment reassembly time exceeded
12	Parameter problem	0 - Pointer indicates the error 1 - Missing a required option 2 - Bad length
13	time stamp	0 - No code
14	time stamp reply	0 - No code
15	Information request	0 - No code
16	Information reply	0 - No code
17	Address mask request	0 - No code
18	Address mask reply	0 - No code
19	Reserved (for security)	0 - No code
20-29	Reserved (for robustness experiment)	0 - No code
30	Traceroute	0 - No code
31	Datagram conversion error	0 - No code
32	Mobile host redirect	0 - No code
33	IPv6 Where-Are-You	0 - No code
34	IPv6 I-Am-Here	0 - No code
35	Mobile registration request	0 - No code
36	Mobile registration reply	0 - No code
39	SKIP	0 - No code
40	Photuris	0 - Reserved 1 - Unknown security parameters index 2 - Valid security parameters, but authentication failed 3 - Valid security parameters, but decryption failed

Page: 1 2 3 4 5 6 7

Buy article		Buy subscription

Standard price: 2€/$3		Standard price: 25€/$30
Buy article for as little as (2€/$3) each allow access to individual articles.		Buy a full access to our Hakin9 archive portal. You will be able to read the articles from all archive issues from year 2005 and 2006. For just 25€/$30 you get unrestricted access to the entire website for the whole year.