Internet Control Message Internet Control Message Protocol (ICMP)Protocol (ICMP)

IntroductionIntroduction

The Internet Protocol The Internet Protocol ((IPIP) ) is used for hostis used for host--toto--host host datagram service in a system of interconnected datagram service in a system of interconnected networksnetworks. . The network connecting devices are The network connecting devices are called Gatewayscalled Gateways. . These gateways communicate These gateways communicate between themselves for control purposes via a between themselves for control purposes via a Gateway to Gateway Protocol Gateway to Gateway Protocol ((GGPGGP).). Occasionally a gateway or destination host will Occasionally a gateway or destination host will communicate with a source host, for example, to communicate with a source host, for example, to report an error in datagram processingreport an error in datagram processing. . For such For such purposes this protocol, the Internet Control purposes this protocol, the Internet Control Message Protocol Message Protocol ((ICMPICMP)), is used, is used. . ICMP, uses the ICMP, uses the basic support of IP as if it were a higher level basic support of IP as if it were a higher level protocol, however, ICMP is actually an integral protocol, however, ICMP is actually an integral part of IP, and must be implemented by every IP part of IP, and must be implemented by every IP modulemodule..

Use Cases Use Cases

ICMP messages are sent in several ICMP messages are sent in several situationssituations: : for example, when a for example, when a datagram cannot reach its datagram cannot reach its destination, when the gateway does destination, when the gateway does not have the buffering capacity to not have the buffering capacity to forward a datagram, and when the forward a datagram, and when the gateway can direct the host to send gateway can direct the host to send traffic on a shorter routetraffic on a shorter route..

PurposePurpose

The Internet Protocol is not designed to be The Internet Protocol is not designed to be absolutely reliableabsolutely reliable. . The purpose of these The purpose of these control messages is to provide feedback control messages is to provide feedback about problems in the communication about problems in the communication environment, not to make IP reliableenvironment, not to make IP reliable. . There are still no guarantees that a There are still no guarantees that a datagram will be delivered or a control datagram will be delivered or a control message will be returnedmessage will be returned. . Some Some datagrams may still be undelivered datagrams may still be undelivered without any report of their losswithout any report of their loss. . The higher The higher level protocols that use IP must implement level protocols that use IP must implement their own reliability procedures if reliable their own reliability procedures if reliable communication is requiredcommunication is required..

Loops someone?Loops someone?

The ICMP messages typically report The ICMP messages typically report errors in the processing of errors in the processing of datagramsdatagrams. . To avoid the infinite To avoid the infinite regress of messages about messages regress of messages about messages etcetc.., no ICMP messages are sent , no ICMP messages are sent about ICMP messagesabout ICMP messages. .

ICMP message formatICMP message format

additional informationor

0x00000000

type code checksum

bit # 0 15 23 248 317 16

4 byte header:4 byte header: Type (1 byte):Type (1 byte): type of ICMP message type of ICMP message Code (1 byte):Code (1 byte): subtype of ICMP message subtype of ICMP message Checksum (2 bytes):Checksum (2 bytes): similar to IP header checksum. similar to IP header checksum.

Checksum is calculated over entire ICMP messageChecksum is calculated over entire ICMP message

If there is no additional data, there are 4 bytes set to zero. If there is no additional data, there are 4 bytes set to zero. each ICMP messages is at least 8 bytes long each ICMP messages is at least 8 bytes long

ICMP message formatICMP message format

ICMP messages are sent using the basic IP ICMP messages are sent using the basic IP headerheader. . The first octet of the data portion The first octet of the data portion of the datagram is a ICMP type field; the of the datagram is a ICMP type field; the value of this field determines the format of value of this field determines the format of the remaining datathe remaining data. . Any field labeled Any field labeled ""unusedunused" " is reserved for later extensions is reserved for later extensions and must be zero when sent, but receivers and must be zero when sent, but receivers should not use these fields should not use these fields ((except to except to include them in the checksuminclude them in the checksum).).

Values of the internet header fieldsValues of the internet header fields

Version - 4Version - 4 IHL - Internet header length in 32-bit wordsIHL - Internet header length in 32-bit words.. Type of Service - 0Type of Service - 0 Total Length - Length of internet header and data .Total Length - Length of internet header and data . Identification, Flags, Fragment Offset Identification, Flags, Fragment Offset TTL - the value in this field should be at least as great as TTL - the value in this field should be at least as great as

the number of gateways which this datagram will traversethe number of gateways which this datagram will traverse.. Protocol - ICMP Protocol - ICMP = = 1 1 Header Checksum – 16 bit complement to one…Header Checksum – 16 bit complement to one… Source Address -Source Address - The address that compose the icmp The address that compose the icmp

message. Unless otherwise noted, this can be any of a message. Unless otherwise noted, this can be any of a gateway's addressesgateway's addresses..

Destination Address - The address to which the message Destination Address - The address to which the message should be sentshould be sent..

ICMP Query messageICMP Query message

ICMP query: ICMP query: RequestRequest sent by host to a router or sent by host to a router or

hosthost ReplyReply sent back to querying host sent back to querying host

Host

ICMP Request

Host or router

ICMP Reply

Example of ICMP QueriesExample of ICMP QueriesType/Code: Type/Code: DescriptionDescription

8/0 8/0 Echo RequestEcho Request

0/0 0/0 Echo ReplyEcho Reply

13/0 13/0 Timestamp RequestTimestamp Request

14/014/0 Timestamp Reply Timestamp Reply

10/0 10/0 Router SolicitationRouter Solicitation

9/09/0 Router AdvertisementRouter Advertisement

The ping command uses Echo Request/ Echo Reply

ICMP Error messageICMP Error message

ICMP error messages report error conditions ICMP error messages report error conditions Typically sent when a datagram is discardedTypically sent when a datagram is discarded Error message is often passed from ICMP to Error message is often passed from ICMP to

the application programthe application program

Host

IP datagram

Host or router

ICMP ErrorMessage

IP datagramis discarded

ICMP Error messageICMP Error message

ICMP error messages include the ICMP error messages include the complete IP header and the first 8 complete IP header and the first 8 bytes of the payload (typically: UDP, bytes of the payload (typically: UDP, TCP)TCP)

Unused (0x00000000)

IP header ICMP header IP header 8 bytes of payload

ICMP Message

from IP datagram that triggered the error

type code checksum

Frequent ICMP Error messageFrequent ICMP Error message

TypeTypeCodeCodeDescriptionDescription

330–150–15Destination Destination unreachableunreachable

Notification that an IP datagram could not be Notification that an IP datagram could not be forwarded and was dropped. The code field forwarded and was dropped. The code field contains an explanation.contains an explanation.

550–30–3RedirectRedirectInforms about an alternative route for the Informs about an alternative route for the datagram and should result in a routing table datagram and should result in a routing table update. The code field explains the reason for update. The code field explains the reason for the route change. the route change.

11110, 10, 1Time Time exceededexceeded

Sent when the TTL field has reached zero Sent when the TTL field has reached zero (Code 0) or when there is a timeout for the (Code 0) or when there is a timeout for the reassembly of segments (Code 1) reassembly of segments (Code 1)

12120, 10, 1ParameterParameterproblemproblem

Sent when the IP header is invalid (Code 0) or Sent when the IP header is invalid (Code 0) or when an IP header option is missing (Code 1)when an IP header option is missing (Code 1)

Some subtypes of the “Destination Some subtypes of the “Destination UnreachableUnreachable””

CodeCodeDescriptionDescriptionReason for SendingReason for Sending

00Network Network UnreachableUnreachable

No routing table entry is available for the No routing table entry is available for the destination network. destination network.

11Host Host UnreachableUnreachable

Destination host should be directly reachable, but Destination host should be directly reachable, but does not respond to ARP Requests.does not respond to ARP Requests.

22Protocol Protocol UnreachableUnreachable

The protocol in the protocol field of the IP header The protocol in the protocol field of the IP header is not supported at the destination.is not supported at the destination.

33Port Port UnreachableUnreachable

The transport protocol at the destination host The transport protocol at the destination host cannot pass the datagram to an application. cannot pass the datagram to an application.

44Fragmentation Fragmentation Needed Needed and DF Bit and DF Bit SetSet

IP datagram must be fragmented, but the DF bit IP datagram must be fragmented, but the DF bit in the IP header is set.in the IP header is set.

Example: ICMP Port UnreachableExample: ICMP Port Unreachable RFC 792: If, in the destination host, the IP module cannot deliver the RFC 792: If, in the destination host, the IP module cannot deliver the datagram because the indicated datagram because the indicated protocol module protocol module

or process or process port is not active, the destination host may send a destination port is not active, the destination host may send a destination unreachable message to the source host.unreachable message to the source host. Scenario: Scenario:

Client Client

Request a serviceat a port 80

Server Server

No process is waiting at port 80

Port

Unreacha

ble

ICMP FingerprintingICMP Fingerprinting ICMP ERROR MESSAGE QUOTING SIZEEach ICMP error message includes the IP header and at

least the first eight data bytesof the datagram that triggered the error (the offending datagram); more than eight bytes may be sent according to RFC 1122. Most of the operating systems will quote the offending packet’s IP header and the first eight data bytes of the datagram that triggered the error. Several operating systems and networking devices will echo more than eight data bytes. Examples of operating systems that quote more include: Linux based on kernel 2.0.x/2.2.x/2.4.x, Sun Solaris 2.x, HPUX 1.x,MacOS 7.x–9.x (10.x not checked), Nokia boxes, Foundry Switches (and other OSes and several networking devices).

ICMP FingerprintingICMP Fingerprinting

ICMP ERROR MESSAGE ECHOING INTEGRITYWhen sending back an ICMP error message, some stack

implementations may alter the offending packet’s IP header and the underlying protocol’s data, which is echoed back with the ICMP error message. The only two field values we expect to be changed are the IP time-to-live field value and the IP header checksum. The IP time-to-live (TTL) field value changes because the field is decreased by one, each time the IP header is being processed. The IP header checksum is recalculated each time the IP TTL field value is decreased. we can take advantage of ICMP Port Unreachable error messages triggered by UDP datagrams sent to closed UDP ports. By examine several IP header and UDP-related field values of the offending packet being echoed with the ICMP error message, for some types of alternation.

ICMP FingerprintingICMP Fingerprinting

ICMP ERROR MESSAGE ECHOING INTEGRITY• IP TOTAL LENGTH FIELD• IP ID• FRAGMENTATION FLAGS AND OFFSET FIELDS• IP HEADER CHECKSUM• UDP HEADER CHECKSUM• PRECEDENCE BITS ISSUES WITH ICMP ERROR

MESSAGES

ICMP FingerprintingICMP Fingerprinting DF BIT ECHOING WITH ICMP ERROR MESSAGESDF BIT ECHOING WITH ICMP ERROR MESSAGES

• Some operating systems set the DF (don’t fragment) bit in Some operating systems set the DF (don’t fragment) bit in error quoting when the DF bit is set with the offending packet. error quoting when the DF bit is set with the offending packet. Some OSs will not.Some OSs will not.

THE IP TIME-TO-LIVE FIELD VALUE WITH ICMP MESSAGESTHE IP TIME-TO-LIVE FIELD VALUE WITH ICMP MESSAGES• The sender sets the time-to-live field to a value that represents The sender sets the time-to-live field to a value that represents

the maximum time the datagram is allowed to travel on the the maximum time the datagram is allowed to travel on the Internet. In practice, the TTL gets decremented each time a Internet. In practice, the TTL gets decremented each time a packet passes through a router or IP stack. The TTL field value packet passes through a router or IP stack. The TTL field value with ICMP has two separate values, one for ICMP query with ICMP has two separate values, one for ICMP query messages and one for ICMP query replies. The TTL field value messages and one for ICMP query replies. The TTL field value helps identify certain operating systems and groups of helps identify certain operating systems and groups of operating systems. It also provides the simplest means to add operating systems. It also provides the simplest means to add another check criterion when we are querying other hosts or another check criterion when we are querying other hosts or listening to traffic (sniffing).listening to traffic (sniffing).

ICMP FingerprintingICMP Fingerprinting

USING CODE FIELD VALUES DIFFERENT FROM USING CODE FIELD VALUES DIFFERENT FROM ZERO WITH ICMP ECHO REQUESTSZERO WITH ICMP ECHO REQUESTS• When an ICMP code field value different from zero is When an ICMP code field value different from zero is

sent with an ICMP Echo Request message (type 8), sent with an ICMP Echo Request message (type 8), operating systems that answer the query with an ICMP operating systems that answer the query with an ICMP Echo Reply message based on one of the Microsoft-Echo Reply message based on one of the Microsoft-based operating systems send back an ICMP code field based operating systems send back an ICMP code field value of zero with their ICMP Echo Reply. Other value of zero with their ICMP Echo Reply. Other operating systems (and networking devices) echo back operating systems (and networking devices) echo back the ICMP code field value that was used with the ICMP the ICMP code field value that was used with the ICMP Echo Request.Echo Request.

ICMP FingerprintingICMP Fingerprinting TOS ECHOINGTOS ECHOING

• RFC 1349 defines the use of the type-of-service field with ICMP RFC 1349 defines the use of the type-of-service field with ICMP messages. It distinguishes between ICMP error messages (Destination messages. It distinguishes between ICMP error messages (Destination Unreachable, Source Quench, Redirect, Time Exceeded, and Parameter Unreachable, Source Quench, Redirect, Time Exceeded, and Parameter Problem), query messages (Echo, Router, Solicitation, Timestamp, Problem), query messages (Echo, Router, Solicitation, Timestamp, Information Request, Address Mask Request), and reply messages Information Request, Address Mask Request), and reply messages (Echo Reply, Router Advertisement, Timestamp Reply, Information (Echo Reply, Router Advertisement, Timestamp Reply, Information Reply, Address Mask Reply). Simple rules are defined: an ICMP error Reply, Address Mask Reply). Simple rules are defined: an ICMP error message is always sent with the default TOS (0x0000). An ICMP message is always sent with the default TOS (0x0000). An ICMP request message may be sent with any value in the TOS field. A request message may be sent with any value in the TOS field. A mechanism to allow the user to specify the TOS value to be used would mechanism to allow the user to specify the TOS value to be used would be a useful feature in many applications that generate ICMP request be a useful feature in many applications that generate ICMP request messages. The RFC further specifies that although ICMP request messages. The RFC further specifies that although ICMP request messages are normally sent with the default TOS, there are sometimes messages are normally sent with the default TOS, there are sometimes good reasons why they would be sent with some other TOS value. An good reasons why they would be sent with some other TOS value. An ICMP reply message is sent with the same value in the TOS field as was ICMP reply message is sent with the same value in the TOS field as was used in the corresponding ICMP request message. Some operating used in the corresponding ICMP request message. Some operating systems will ignore RFC 1349 when sending ICMP Echo Reply messages systems will ignore RFC 1349 when sending ICMP Echo Reply messages and will not send the same value in the TOS field as was used in the and will not send the same value in the TOS field as was used in the corresponding ICMP request messagecorresponding ICMP request message..

ReferencesReferences

httphttp://://wwwwww..ietfietf..orgorg//rfcrfc//rfc0792rfc0792..txt?numbertxt?number==792792

httphttp://://wwwwww..phrackphrack..orgorg//showshow..php?pphp?p==57&a57&a==77

httphttp://://wwwwww..syssys--securitysecurity..comcom//archivearchive//articlesarticles//loginlogin..pdfpdf