OL

In-Depth Notes on ICMP Protocol

Overview of ICMP

  • ICMP (Internet Control Message Protocol) is defined in RFC 792 (September 1981).
  • It provides feedback about network operations and the delivery of datagrams, though it does not guarantee reliability.
  • Used extensively in IP deployments and is sent within the IP packet payload.
  • ICMP is often associated with commands such as ping and traceroute, but its functionalities extend far beyond these tools.

Basic ICMP Operations

  • As per RFC, messages are intended to handle control events and should be processed by receiving devices.
  • Important rules regarding message handling:
    • Broadcast and multicast messages cannot create ICMP messages.
    • Errors in sending ICMP messages do not trigger additional ICMP messages for error reporting.

ICMP Message Format

  • Type: Identifies the format and actions of the message.
  • Code: Provides specific operational actions related to the message type.
  • Checksum: A validation sum computed in 16-bit sections of the ICMP message (one’s complement of the one’s complement sum).

ICMP Message Types

  • Type 0: Echo Reply
  • Type 3: Destination Unreachable
  • Type 4: Source Quench
  • Type 5: Redirect
  • Type 8: Echo Request
  • Type 9: Router Advertisement
  • Type 10: Router Solicitation
  • Type 11: Time Exceeded
  • Type 12: Parameter Problem
  • Type 30: Traceroute

ICMP Message Codes

  • Codes provide additional context based on the Type:
    • Type 4, Code 0: Source Quench
    • Type 11, Code 0: TTL Count Exceeded
  • Some Types have a single code, generally set to zero.

ICMP Destination Unreachable

  • Type 3 Code X provides details on the failure type:
    • Code 0: Network Unreachable
    • Code 1: Host Unreachable
    • Code 2: Protocol Unreachable
    • Code 3: Port Unreachable
    • Additional codes for fragmentation issues and administrative prohibitions.

ICMP Operations: Ping

  • Ping operation uses two ICMP message types:
    • Initial message: Type 8, Code 0 (Echo Request).
    • Response message: Type 0, Code 0 (Echo Reply).
  • Ping can be analyzed using tools like Wireshark.

ICMP Operations: Traceroute

  • Traceroute determines the route a packet takes to reach its destination by identifying each hop along the path.
  • Utilizes one message type: Type 30, Code 0.

ICMP Operations: Unreachable Messages

  • Distinct reasons exist for unreachability messages, such as route failures or delivery errors.
  • Different scenarios lead to different ICMP messages generated for undelivered packets.

Security Implications of ICMP

  • ICMP is inherently insecure and susceptible to various attacks:
    • Ping of Death: Sending a malformed message.
    • Smurf Attack: Amplification attack via ICMP requests.
    • ICMP Sweep: Discovering hosts via ping sweeps.

Network Design Considerations

  • Implement security measures to mitigate risks associated with ICMP:
    • Block incoming Echo Requests on external interfaces.
    • Rate limit outgoing Echo Requests from internal sources.
    • Restrict outgoing Destination Host Unknown messages.
    • Block incoming Traceroute messages and certain unreachable message types.
    • Deploy IDS/IPS systems to combat ICMP-based OS fingerprinting.

Practical Skills with ICMP

  • Identify message types sent by hosts and routers.
  • Use ICMP messages for troubleshooting network problems.
  • Analyze ICMP messages as part of network security evaluations.
  • Understand potential attacks using ICMP messages and their implications for your network's security.