In-Depth Notes on ICMP Protocol

Overview of ICMP

• ICMP (Internet Control Message Protocol) is defined in RFC 792 (September 1981).
• It provides feedback about network operations and the delivery of datagrams, though it does not guarantee reliability.
• Used extensively in IP deployments and is sent within the IP packet payload.
• ICMP is often associated with commands such as ping and traceroute, but its functionalities extend far beyond these tools.

Basic ICMP Operations

• As per RFC, messages are intended to handle control events and should be processed by receiving devices.
• Important rules regarding message handling:
  • Broadcast and multicast messages cannot create ICMP messages.
  • Errors in sending ICMP messages do not trigger additional ICMP messages for error reporting.

ICMP Message Format

• Type: Identifies the format and actions of the message.
• Code: Provides specific operational actions related to the message type.
• Checksum: A validation sum computed in 16-bit sections of the ICMP message (one’s complement of the one’s complement sum).

ICMP Message Types

• Type 0: Echo Reply
• Type 3: Destination Unreachable
• Type 4: Source Quench
• Type 5: Redirect
• Type 8: Echo Request
• Type 9: Router Advertisement
• Type 10: Router Solicitation
• Type 11: Time Exceeded
• Type 12: Parameter Problem
• Type 30: Traceroute

ICMP Message Codes

• Codes provide additional context based on the Type:
  • Type 4, Code 0: Source Quench
  • Type 11, Code 0: TTL Count Exceeded
• Some Types have a single code, generally set to zero.

ICMP Destination Unreachable

• Type 3 Code X provides details on the failure type:
  • Code 0: Network Unreachable
  • Code 1: Host Unreachable
  • Code 2: Protocol Unreachable
  • Code 3: Port Unreachable
  • Additional codes for fragmentation issues and administrative prohibitions.

ICMP Operations: Ping

• Ping operation uses two ICMP message types:
  • Initial message: Type 8, Code 0 (Echo Request).
  • Response message: Type 0, Code 0 (Echo Reply).
• Ping can be analyzed using tools like Wireshark.

ICMP Operations: Traceroute

• Traceroute determines the route a packet takes to reach its destination by identifying each hop along the path.
• Utilizes one message type: Type 30, Code 0.

ICMP Operations: Unreachable Messages

• Distinct reasons exist for unreachability messages, such as route failures or delivery errors.
• Different scenarios lead to different ICMP messages generated for undelivered packets.

Security Implications of ICMP

• ICMP is inherently insecure and susceptible to various attacks:
  • Ping of Death: Sending a malformed message.
  • Smurf Attack: Amplification attack via ICMP requests.
  • ICMP Sweep: Discovering hosts via ping sweeps.

Network Design Considerations

• Implement security measures to mitigate risks associated with ICMP:
  • Block incoming Echo Requests on external interfaces.
  • Rate limit outgoing Echo Requests from internal sources.
  • Restrict outgoing Destination Host Unknown messages.
  • Block incoming Traceroute messages and certain unreachable message types.
  • Deploy IDS/IPS systems to combat ICMP-based OS fingerprinting.

Practical Skills with ICMP

• Identify message types sent by hosts and routers.
• Use ICMP messages for troubleshooting network problems.
• Analyze ICMP messages as part of network security evaluations.
• Understand potential attacks using ICMP messages and their implications for your network's security.