Role of ICMP
Transcript of Role of ICMP
11
Internet Control Message Internet Control Message ProtocolProtocol
ByByVenkata Naga ChaturvedulaVenkata Naga Chaturvedula
Thomson ErelliThomson ErelliKiran NukalapatiKiran Nukalapati
22
About the Internet About the Internet Control Message ProtocolControl Message Protocol
The Internet Control Message Protocol (ICMP) The Internet Control Message Protocol (ICMP) protocol is classic example of a client server protocol is classic example of a client server
applicationapplication. . The The Internet Control Message Protocol Internet Control Message Protocol
(ICMP)(ICMP) is part of the Internet protocol suite and is part of the Internet protocol suite and defined in defined in RFC 792RFC 792
The ICMP server executes on all IP end system The ICMP server executes on all IP end system computers and all IP intermediate systems (i.e computers and all IP intermediate systems (i.e
routersrouters).).
33
About the Internet About the Internet Control Message ProtocolControl Message Protocol
The protocol is used to report problems with The protocol is used to report problems with delivery of IP datagrams within an IP network. delivery of IP datagrams within an IP network.
It can be sued to show when a particular End It can be sued to show when a particular End system is not responding, when an IP network is system is not responding, when an IP network is not reachable, when a node is overloaded, when not reachable, when a node is overloaded, when an error occurs in the IP header information, etc. an error occurs in the IP header information, etc.
The protocol is also frequently used by Internet The protocol is also frequently used by Internet managers to verify correct operations of End managers to verify correct operations of End Systems and to check that routers are correctly Systems and to check that routers are correctly routing packets to the specified destinations. routing packets to the specified destinations.
44
The network connecting devices are called The network connecting devices are called Gateways. Gateways.
These gateways communicate between These gateways communicate between themselves for control purposes via a themselves for control purposes via a Gateway to Gateway to Gateway Protocol (GGP).Gateway Protocol (GGP).
About the Internet About the Internet Control Message ProtocolControl Message Protocol
The Internet Protocol (IP) is used for host-The Internet Protocol (IP) is used for host-to- to- host datagram service in a system of host datagram service in a system of interconnected networks called the interconnected networks called the CatenetCatenet.
55
Occasionally a gateway or destination Occasionally a gateway or destination host will communicate with a source host will communicate with a source host, for example, to report an error in host, for example, to report an error in datagram processing. datagram processing.
ICMP, uses the basic support of IP as ICMP, uses the basic support of IP as if it were a higher level protocol, if it were a higher level protocol, however, ICMP is actually an integral however, ICMP is actually an integral part of IP, and must be implemented by part of IP, and must be implemented by every IP module. every IP module.
About the Internet About the Internet Control Message ProtocolControl Message Protocol
66
Purpose of ICMP
The Internet Control Message Protocol is a protocol for the exchange of error messages and other vital information between (Physical) Internet entities such as hosts and routers.
77
ICMP in the TCP/IP protocol suite
ICMP is a network layer protocol, often it is placed next to the IP protocol.
ICMP Header ICMP Data Area
IP Header IP Data Area
Frame Header Frame Area
88
ICMP in the TCP/IP protocol suite
ICMP lies just above IP, as ICMP messages are carried inside IP Packets.
ICMP messages are carried as IP payload, just as TCP/UDP segments are carried as IP payload When a host receives an IP packet with ICMP specified as the upper layer protocol, it de- multiplexes the packet to ICMP, just as it would demultiplex a packet to TCP/UDP.
99
ICMP functions Announce network errors:Announce network errors: such as a host or such as a host or entire portion of the network being unreachable, entire portion of the network being unreachable, due to some type of failure. A TCP or UDP packet due to some type of failure. A TCP or UDP packet directed at a port number with no receiver directed at a port number with no receiver attached is also reported via ICMP.attached is also reported via ICMP. Announce network congestion:Announce network congestion: When a When a router begins buffering too many packets, due to router begins buffering too many packets, due to an inability to transmit them as fast as they are an inability to transmit them as fast as they are being received, it will generate ICMP being received, it will generate ICMP Source Source QuenchQuench messages. Directed at the sender, these messages. Directed at the sender, these messages should cause the rate of packet messages should cause the rate of packet transmission to be slowed. transmission to be slowed.
1010
ICMP functions Assist Troubleshooting:Assist Troubleshooting: ICMP supports an ICMP supports an EchoEcho function, which just sends a packet on a function, which just sends a packet on a round--trip between two hosts. round--trip between two hosts. Ping, a common , a common network management tool, is based on this network management tool, is based on this feature. Ping will transmit a series of packets, feature. Ping will transmit a series of packets, measuring average round--trip times and measuring average round--trip times and computing loss percentages.computing loss percentages.
Announce Timeouts:Announce Timeouts: If an IP packet's TTL field drops to zero, the router discarding the packet will often generate an ICMP packet announcing this fact. TraceRoute is a tool which maps network routes by sending packets with small TTL values and watching the ICMP timeout announcements.
1111
ICMP Applications
There are two simple and widely used There are two simple and widely used applications which are based on ICMP:applications which are based on ICMP:
Ping Ping TracerouteTraceroute. .
1212
ICMP Applications
PING: The ping utility checks whether a host is The ping utility checks whether a host is alive & reachable or not. This is done by sending alive & reachable or not. This is done by sending an ICMP Echo Request packet to the host, and an ICMP Echo Request packet to the host, and waiting for an ICMP Echo Reply from the hostwaiting for an ICMP Echo Reply from the host. TRACE ROUTE: Traceroute is a utility that Traceroute is a utility that records the route (the specific records the route (the specific gateway computers at each hop) through the Internet between your computer and a specified destination computer. It also calculates and displays the amount of time each hop took.
1313
ICMP Operation
1414
ICMP datagram structure
The ICMP datagram, being an IP datagram, contains the usual IP header. This is followed by an ICMP header which varies slightly between the different types of ICMP message. The general format is shown below:
1515
ICMP Message Types
TypTypee
Message TypeMessage Type DescriptionDescription
33 Destination Destination UnreachableUnreachable
Packet could not be deliveredPacket could not be delivered
1111 Time ExceededTime Exceeded Time to live field hit 0Time to live field hit 0
1212 Parameter ProblemParameter Problem Invalid header fieldInvalid header field
44 Source QuenchSource Quench Choke PacketChoke Packet
55 RedirectRedirect Teach a router about geographyTeach a router about geography
88 EchoEcho Ask a machine if it is aliveAsk a machine if it is alive
00 Echo ReplyEcho Reply Yes, I am aliveYes, I am alive
1313 Timestamp RequestTimestamp Request Same as Echo request, but with Same as Echo request, but with timestamptimestamp
1414 Timestamp ReplyTimestamp Reply Same as Echo reply, but with Same as Echo reply, but with timestamptimestamp
1616
The DESTINATION UNREACHABLE message is used when the subnet or a router cannot locate the destination.
The TIME EXCEEDED message is sent when a packet is dropped because its counter has reached zero. This event is symptom that packets are looping, that there is enormous congestion, or that the timer values are being set too low.
The PARAMETER PROBLEM message indicates that an illegal value has been detected in a header field. This problem indicates a bug in the sending host’s IP software or possibly in the software of a router transited.
The SOURCE QUENCH message was formerly used to throttle hosts that were sending too many packets. When a host received this message, it was expected to slow down. It is rarely used any more when congestion occurs.
More about Message Types
1717
The REDIRECT MESSAGE is used when a router notices that a packet seems to be routed wrong. It is used by the router to tell the sending host about the probable error.
The ECHO and ECHO REPLY messages are used to see if a given destination is reachable and alive. Upon receiving the ECHO message, the destination is expected to send an ECHO REPLY message back.
The TIMESTAMP REQUEST and TIMESTAMP REPLY messages are similar, except that the arrival time of the message and the departure time of the reply are recorded in the reply. This facility is used to measure network performance.
More about Message Types
1818
Code:The exact meaning of the value contained within this field depends on the message Type. For example, with an ICMP Type 3 message ("Destination unreachable"), a Code value of 0 means "Network unreachable", which implies a router failure. A Code of 1 means "Host unreachable".
Checksum:The checksum field provides error detection for the ICMP header only and is calculated in the same way as the IP header checksum.
Parameters:The usage of this field depends on the type of message. For example, Type 3 messages do not use this field, while Type 0 and 8 messages use the field to store an identifier and sequence number.
Data:Typically, the data is the IP header and first 64 bits of the original datagram, i.e. the one that failed and prompted the ICMP message. Including the first 64 bits of the original datagram allows the ICMP message to be matched to the datagram that caused it.
1919
CodeCode DefinitionDefinition
00 Net UnreachableNet Unreachable
11 Host UnreachableHost Unreachable
22 Protocol UnreachableProtocol Unreachable
33 Port UnreachablePort Unreachable
44 Fragmentation needed & Don’t Fragment was setFragmentation needed & Don’t Fragment was set
55 Source Route failedSource Route failed
66 Destination Network UnknownDestination Network Unknown
77 Destination Host UnknownDestination Host Unknown
88 Source Host IsolatedSource Host Isolated
99 Communication Destination Network is Administratively Communication Destination Network is Administratively ProhibitedProhibited
1010 Communication Destination Host is Administratively Communication Destination Host is Administratively ProhibitedProhibited
1111 Destination Network Unreachable for Type of ServiceDestination Network Unreachable for Type of Service
1212 Destination Host Unreachable for Type of ServiceDestination Host Unreachable for Type of Service
1313 Communication Administratively ProhibitedCommunication Administratively Prohibited
1414 Host Precedence ViolationHost Precedence Violation
1515 Precedence Cutoff ViolationPrecedence Cutoff Violation
Destination Unreachable Codes
2020
CodeCode DefinitionDefinition
00 Redirect Datagram for the Network (or subnet)Redirect Datagram for the Network (or subnet)
11 Redirect Datagram for the HostRedirect Datagram for the Host
22 Redirect Datagram for the Type of Service & NetworkRedirect Datagram for the Type of Service & Network
33 Redirect Datagram for the Type of Service & HostRedirect Datagram for the Type of Service & Host
Redirect Codes
CodeCode DefinitionDefinition
00 Time to Live Exceeded in TransitTime to Live Exceeded in Transit
11 Fragment Reassembly Time Fragment Reassembly Time ExceededExceeded
Time Exceeded Codes Parameter Problem Codes
CodeCode DefinitionDefinition
00 Pointer Indicates the Pointer Indicates the ErrorError
11 Missing a Required Missing a Required OptionOption
22 Bad LengthBad Length
2121
Testing and Testing and Troubleshooting Sequences for ICMPTroubleshooting Sequences for ICMP
ICMP’s most common uses are testing and troubleshooting.ICMP’s most common uses are testing and troubleshooting.
Two of the most well-known utilities, PING and TRACEROUTE, Two of the most well-known utilities, PING and TRACEROUTE, rely on ICMP to perform rely on ICMP to perform connectivity testsconnectivity tests and and path discovery.path discovery.
2222
Connectivity Testing with PINGConnectivity Testing with PING
The PING utility is actually an The PING utility is actually an ICMP Echo ICMP Echo processprocess..
An An ICMP Echo RequestICMP Echo Request packet consists of an Ethernet header, packet consists of an Ethernet header, IP header, ICMP header, and some undefined data.IP header, ICMP header, and some undefined data.
This packet is sent to the target host, which echoes back that This packet is sent to the target host, which echoes back that data, as shown in Figure 4-1.data, as shown in Figure 4-1.
The ICMP echo request is a connectionless process with no The ICMP echo request is a connectionless process with no guarantee of delivery.guarantee of delivery.
2323
Connectivity Testing with PING (Contd.)Connectivity Testing with PING (Contd.)
Most PING utilities send a series of several echo requests to Most PING utilities send a series of several echo requests to the target in order to obtain an the target in order to obtain an average response time.average response time.
These response times are displayed in These response times are displayed in milliseconds.milliseconds.
These times should be considered a snapshot of the current These times should be considered a snapshot of the current round-trip time.round-trip time.
The PING utility included with Windows 2000 sends a series of The PING utility included with Windows 2000 sends a series of four ICMP echo requests with a one-second ICMP Echo Reply four ICMP echo requests with a one-second ICMP Echo Reply Timeout valueTimeout value
2424
PING Utility Uses ICMP PING Utility Uses ICMP Echo Requests and RepliesEcho Requests and Replies
2525
Event Flow Diagram
2626
The echo requests consist of 32 bytes of data (an alphabetical pattern)
in a fragmentable IP packet
Ping Utility provides feedback on success and round-trip times
The command-line parameters used with PING can affect the appearance and functionality of ICMP Echo packets.
2727
Path Discovery with TRACEROUTE
The TRACEROUTE utility identifies a path from the sender to the target host using ICMP echo requests and some manipulation of the TTL value in the IP header.
Traceroute starts by sending a UDP datagram to the destination host with the TTL field set to 1. If a router finds a TTL value of 1 or 0, it drops the datagram and sends back an ICMP Time-Exceeded message to the sender.
Traceroute determines the address of the first hop by examining the source address field of the ICMP Time-Exceeded message.
2828
To identify the next hop, traceroute sends a UDP packet with a TTL value of 2. The first router decrements the TTL field by 1 and sends the datagram to the next router. The second router sees a TTL value of 1, discards the datagram, and returns the Time-Exceeded message to the source. This process continues until the TTL is incremented to a value large enough for the datagram to reach the destination host or until the maximum TTL is reached.
To determine when a datagram reaches its destination, traceroute sets the UDP destination port in the datagram to a very large value that the destination host is unlikely to be using. When a host receives a datagram with an unrecognized port number, it sends an ICMP Port Unreachable error message to the source. The Port Unreachable error message indicates to traceroute that the destination has been reached.
Path Discovery with TRACEROUTE (Contd.)
2929
Event Flow Diagram
3030
Vulnerabilities
3131
OverviewA vulnerability in some Cisco Virtual Private Network (VPN) products could allow a remote attacker to cause a denial of service.
ImpactA denial-of-service condition can result from degraded performance or unexpected rebooting of the affected device
SolutionCisco Systems Inc. has released software patches and workaround information for this vulnerability.
Systems AffectedVendor Status Date UpdatedCisco Systems Inc. Vulnerable May-8-2003
CreditThanks to Cisco Systems Product Security Incident Response Team for reporting this vulnerability.
Vulnerability Note VU#221164
3232
Vulnerability Note VU#918920
OverviewA vulnerability exists in multiple control cards used by Cisco ONS devices. This vulnerability could allow a remote attacker to cause a denial-of-service condition.
Vulnerable Cisco ONS 15327 Edge Optical Transport Platform releases:
4.6(0) and 4.6(1) 4.1(0) to 4.1(3)
Not vulnreable Cisco ONS 15600 Multiservice Switching Platform
ImpactA remote, unauthenticated attacker could cause control cards to reset on an affected optical device. Repeated exploitation of this vulnerability could result in a denial of service.
SolutionThey have upgraded and released the newer versions.
3333
Vulnerability Note VU#471084
OverviewThe Linux 2.0 kernel contains a vulnerability in the way it processes ICMP errors. This could lead to portions of memory being leaked to a malicious user.
DescriptionThe Linux 2.0 kernel (versions 2.0 through 2.0.39 inclusive) contains an error in the calculation of the size for an ICMP citation. A citation is created for ICMP error responses. This miscalculation may lead to random data stored in memory being returned in the response.
ImpactSensitive information may be leaked to an attacker.
SolutionUpgrade or apply a patch as necessary
CreditThanks to Philippe Biondi of Cartel Security for reporting this vulnerability.
3434
Problem issuesProblem issues
3535
ICMP redirect messages can be used to trick routers and hosts acting as routers into using ``false'' routes; these false routes would aid in directing traffic to an attacker's system instead of a legitimate trusted system.
This could in turn lead to an attacker gaining access to systems that normally would not permit connections to the attacker's system or network.
Older versions of UNIX could drop all connections between two hosts even if only one connection was experiencing network problems.
Problems
3636
Extensions
3737
Extensions
In order to support IP-in-IP tunneling, In order to support IP-in-IP tunneling, extends the final field of selected ICMP extends the final field of selected ICMP messages to include a greater portion of messages to include a greater portion of the original datagram. the original datagram.
An additional object is provided through An additional object is provided through which octets 129 and beyond can be which octets 129 and beyond can be appended to the ICMP message. appended to the ICMP message.
3838
Extensions……
As few datagrams contain L3 or L4 As few datagrams contain L3 or L4 header information beyond octet 128, it header information beyond octet 128, it is unlikely that the extensions described is unlikely that the extensions described herein will disable any applications that herein will disable any applications that rely upon ICMP messages. rely upon ICMP messages.
3939
Security IssuesSecurity Issues
4040
Security Issues with ICMP
You can use ICMP as part of a reconnaissance You can use ICMP as part of a reconnaissance process to learn about active network process to learn about active network addresses and active processesaddresses and active processes
These reconnaissance processes often precede These reconnaissance processes often precede a network break-ina network break-in
When hackers decide to infiltrate a network, When hackers decide to infiltrate a network, they typically start with a list of the IP hosts on they typically start with a list of the IP hosts on the network (unless the target is a single the network (unless the target is a single known system)known system)
4141
Security Issues for ICMP
An IP host probe process is one method of An IP host probe process is one method of obtaining a list of the active hosts on a obtaining a list of the active hosts on a networknetwork
The next step in the hack is a port probeThe next step in the hack is a port probe Once hackers know the addresses of the active Once hackers know the addresses of the active
devices on the network, they can target their devices on the network, they can target their next reconnaissance process, the port probe, next reconnaissance process, the port probe, to those devicesto those devices
Because many systems do not reply to pings Because many systems do not reply to pings sent to the broadcast address, typical IP host sent to the broadcast address, typical IP host probes are sent unicast to each possible probes are sent unicast to each possible addressaddress
4242
ICMP messages must use an established SAID. From a destination host, this means an SAID must exist or be established on the fly even when an unprotected IP message is source of the ICMP message.
Certain ICMP messages can legitimately arrive from any gateway along the route taken by an IP message from source to destination host. To protect the ICMP message, the source host must have an SAID withthat gateway. Potentially, this means a source host must have an SAID with *every* gateway through which its IP packets may pass.
Security Issues
4343
Security Issues
very serious attacks with ICMP and against routing very serious attacks with ICMP and against routing protocolsprotocols
Solutions exists but are not applied!Solutions exists but are not applied!
strict traffic filtering against IP source address strict traffic filtering against IP source address spoofing (RFC 2267)spoofing (RFC 2267)
education of the network managerseducation of the network managers cryptography: key management protocols not cryptography: key management protocols not
generally adopted; standard generally adopted; standard Public Key Public Key Infrastructure (Infrastructure (PKI) not yet agreed upon PKI) not yet agreed upon
4444
SummarySummary
4545
SummarySummary
ICMP provides vital feedback about IP routing ICMP provides vital feedback about IP routing and delivery problemsand delivery problems
Although ICMP messages fall within various Although ICMP messages fall within various well-documented types, and behave as a well-documented types, and behave as a separate protocol at the TCP/IP Network layer, separate protocol at the TCP/IP Network layer, ICMP is really part and parcel of IP itself, and ICMP is really part and parcel of IP itself, and its support is required in any standards-its support is required in any standards-compliant IP implementationcompliant IP implementation
4646
SummarySummary
Two vital TCP/IP diagnostic utilities, known as Two vital TCP/IP diagnostic utilities, known as PING and TRACEROUTE (invoked as TRACERT in PING and TRACEROUTE (invoked as TRACERT in the Windows environment), use ICMP to measure the Windows environment), use ICMP to measure round-trip times between a sending and receiving round-trip times between a sending and receiving host, and to perform path discovery for a sending host, and to perform path discovery for a sending host and all intermediate hosts or routers host and all intermediate hosts or routers between sender and receiverbetween sender and receiver
ICMP also supports Path MTU (PMTU) Discovery ICMP also supports Path MTU (PMTU) Discovery between a sender and a receiver, which helps to between a sender and a receiver, which helps to optimize performance of data delivery between optimize performance of data delivery between pairs or hosts by avoiding fragmentation en routepairs or hosts by avoiding fragmentation en route
4747
SummarySummary
Route and routing error information from ICMP Route and routing error information from ICMP derives from numerous types of ICMP derives from numerous types of ICMP messagesmessages
ICMP also supports route optimization through ICMP also supports route optimization through its ICMP Redirect message type, but this its ICMP Redirect message type, but this capability is normally restricted only to trusted capability is normally restricted only to trusted sources of information because of potential sources of information because of potential security problems that uncontrolled security problems that uncontrolled acceptance of such messages can causeacceptance of such messages can cause
4848
ConclusionConclusion
4949
ConclusionConclusion
Although ICMP has great positive value as a Although ICMP has great positive value as a diagnostic and reporting tool, those same diagnostic and reporting tool, those same capabilities can be turned to nefarious capabilities can be turned to nefarious purposes as well, which makes security issues purposes as well, which makes security issues for ICMP important.for ICMP important.
Understanding the meaning and significance Understanding the meaning and significance of the ICMP Type and Code fields are essential of the ICMP Type and Code fields are essential to recognizing individual ICMP messages and to recognizing individual ICMP messages and what they are trying to communicate.what they are trying to communicate.
5050
Questions
1.Why Source Quench message is rarely used?
Sol: When Congestion occurs, sending these packets increases the congestion.
2.When are ICMP Messages generated?
Sol: ICMP messages are typically generated in response to errors in IP Datagrams or for diagnostic or routing purposes.
3.What is the drawback of using the ping command?
Sol: The ping command will send an ECHO_REQUEST datagram to a host or network interface. On reception, the packet is returned with an ECHO_RESPONSE datagram. While this test does not verify that your server is operating correctly, it does verify that the networking portion of it is reachable.
5151
References
http://www.faqs.orghttp://www.faqs.org (RFC 792) (RFC 792)
http://www.ietf.orghttp://www.ietf.org
http://www.iss.nethttp://www.iss.net
http://www.eventhelix.comhttp://www.eventhelix.com
Books
Steven M. Bellovin. Security Problems in the TCP/IP Protocol Suite. Steven M. Bellovin. Security Problems in the TCP/IP Protocol Suite. Computer Communications ReviewComputer Communications Review
Andrew S Tanenbaum, Computer Networks.Andrew S Tanenbaum, Computer Networks.