[Home]
[Edit this page]
[Recent Changes]
[Special Pages]
[Help]
ICMP
icmp internet protocol
[*] Overview of ICMP
The Internet Control Message Protocol is used to handle errors during transmissions. Formally this protocol is used for two types of operations:
> Reporting non-transient error conditions.
> Probing the network with request & reply messages in order to determine general characteristics about the network.
[*] Special Conitions
For the following conditions the ICMP protocol has strict rules of inner working which are defined in RFC 792:
[*] Packet Formats
ICMP packets are transferred as IP datagrams. The following figures shows an IP datagram and an ICMP packet
FIG:IP DATAGRAM
-------------------------------------------------------------------------
|:::::::IP HEADER::::::|:::::::::::::::ICMP MESSAGE:::::::::::::::::::::|
-------------------------------------------------------------------------
<-------20 bytes------->
FIG:IP DATAGRAM
<--------8 bit--------><----------8 bit---------><-------------------16 bit----------------------->
---------------------------------------------------------------------------------------------------
|::::::::TYPE:::::::::|:::::::::CODE:::::::::::::|::::::::::::::::::CHECKSUM::::::::::::::::::::::|
---------------------------------------------------------------------------------------------------
|:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::|
|::::::::::::::::::::::::::::::::::::::::::DATA:::::::::::::::::::::::::::::::::::::::::::::::::::|
|:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::|
---------------------------------------------------------------------------------------------------
[*] The Type Field
_________________________________________________________________________________
---------------------------------------------------------------------------------
TYPE....NAME....................................CODE............................. _________________________________________________________________________________
0.......Echo Reply...............................................................
_________________________________________________________________________________
1.......Unassigned...............................................................
_________________________________________________________________________________
2.......Unassigned...............................................................
_________________________________________________________________________________
3.......Destination Unreachable.........00 Net Unreachable
........................................01 Host Unreachable
........................................02 Protocol Unreachable
........................................03 Port Unreachable
........................................04 Fragmentation Needed and .......................................... Don't Fragment was Set
........................................05 Source Route Failed
........................................06 Destination Network Unknown
........................................07 Destination Host Unknown
........................................08 Source Host Isolated
........................................09 Communication with Destination
...........................................Network is Administratively Prohibited
........................................10 Communication with Destination Host ...........................................is Administratively Prohibited
........................................11 Destination Network Unreachable
...........................................for Type of Service.
........................................12 Destination Host Unreachable
...........................................for Type of Service.
........................................13 Communication Administratively
...........................................Prohibited.
........................................14 Host Precedence Violation
........................................15 Precedence cutoff in effect
_________________________________________________________________________________
4.......Source Quelch...................0 No Code
_________________________________________________________________________________
5.......Redirect........................0 Redirect Datagram for the
..........................................Network (or subnet)
........................................1 Redirect Datagram for the Host
........................................2 Redirect Datagram for the
..........................................Type of Service & Network
........................................3 Redirect Datagram for the
..........................................Type of Service and Host
_________________________________________________________________________________
6.......Alternate Host Address..........0 Alternate Address for Host
_________________________________________________________________________________
7.......Unassigned
_________________________________________________________________________________
8.......Echo Request....................0 No Code
_________________________________________________________________________________
9.......Router Advertisement............0 No Code
_________________________________________________________________________________
10......Router Selection................0 No Code
_________________________________________________________________________________
11......Time Exceeded...................0 Time to Live exceeded in Transit
........................................1 Fragment Reassembly Time Exceeded
_________________________________________________________________________________
12......Parameter Problem...............0 Pointer indicates the error
........................................1 Missing a Required Option
........................................2 Bad Length
_________________________________________________________________________________
13......Timestamp.......................0 No Code
_________________________________________________________________________________
14......Timestamp Reply.................0 No Code
_________________________________________________________________________________
15 Information Request.............0 No Code (Obsolete)
_________________________________________________________________________________
16......Information Reply...............0 No Code (Obsolete)
_________________________________________________________________________________
17......Address Mask Request............0 No Code
_________________________________________________________________________________
18......Address Mask Reply..............0 No Code
_________________________________________________________________________________
19......Reserved (for Security).........0 No Code
_________________________________________________________________________________
//////////////////////20-29 reserved (for Robustness Experiment)/////////////////
_________________________________________________________________________________
30......Traceroute
_________________________________________________________________________________
31......Datagram Conversion Error
_________________________________________________________________________________
32......Mobile Host Redirect
_________________________________________________________________________________
33......IPv6 Where-Are-You
_________________________________________________________________________________
34......IPv6 I-Am-Here
_________________________________________________________________________________
35......Mobile Registration Request
_________________________________________________________________________________
36......Mobile Registration Reply
_________________________________________________________________________________
39......SKIP
_________________________________________________________________________________
40......Photuris.........................0 Reserved
.........................................1 unknown security parameters index
.........................................2 valid security parameters,
...........................................but authentication failed
.........................................3 valid security parameters,
...........................................but decryption failed
_________________________________________________________________________________
---------------------------------------------------------------------------------
As soon as TCP/IP senses an error in the data transfer,the client, server and the user process are informed about the details of the error encountered.
[*] Echo Request And Echo Reply
We can use these 2 types of messages to check whether the target machine is alive or not. We first send an Echo Request ICMP packet and then wait for Echo Reply. If it does arrive it means that the remote system is alive. However if Echo Reply doesnt arrive then it does not necessarily means that the remote system is dead as the remote machine may be equopped with a firewall or a filtering device that simply discard these requests. After the usual 4 bits the echo request/reply ICMP packet starts with a 2 byte identifier field to which the sender assigns the value of process ID of the sending process and then comes the 2 byte sequence number field. The receiver after receiving the request ICMP echoes back with data(unchanged) and sequence number field in the form of Echo Reply ICMP message.
Note :This can be easily obtained using ping
[*] Discarding Ping Requests
Echo Requests (including ping) are very frequently pumped into the internet. For security reasons sometimes it is essential to block these requests. These requests can be blocked by adding the following access list-
access-list 101 permit icmp <permitted_ip> 0.0.0.255 any 8
access-list 101 deny icmp any any 8
All echo requests would be discarded except for those coming from permitted_ip
[*] Timestamp Request And Timestamp Reply
One can ask a remote system the current time of the system which is returned in the form of no. of milliseconds since midnight, Coordinated Universal Time (UTC).
FIG:Format of timestamp reply (type : 14) and request (type : 13)
<----------8---------><------------8----------><------------------------16----------------------->
|------------------------------------------------------------------------------------------------|
|::TYPE(13 or 14)::::|::::::CODE ( 0 ):::::::::|::::::::::::::::::::CHECKSUM:::::::::::::::::::::|
|------------------------------------------------------------------------------------------------|
|:::::::::::::::IDENTIFIER:::::::::::::::::::::|:::::::::::::::::::SEQUENCE NO.::::::::::::::::::|
|------------------------------------------------------------------------------------------------|
|::::::::::::::::::::::::::::::::32 BIT ORIGINATE TIMESTAMP::::::::::::::::::::::::::::::::::::::|
|------------------------------------------------------------------------------------------------|
|:::::::::::::::::::::::::::::::::32 BIT RECEIVE TIMESTAMP:::::::::::::::::::::::::::::::::::::::|
|------------------------------------------------------------------------------------------------|
|:::::::::::::::::::::::::::::::::32 BIT TRANSMIT TIMESTAMP::::::::::::::::::::::::::::::::::::::|
|------------------------------------------------------------------------------------------------|
The sender sends this packet filling the 'originate timestamp' field with the time at which the packet is sent. The receiver then answers the query by filling the 'receive timestamp' field with the time at which the request packet was received and 'transmit timestamp' field with the time at which the packet is transmitted.Nowadays both these values contain the same time. Some versions of Windows NT do not respond to Timestamp queries.
[*] Countermeasures
By adding the following ACL-
access-list 101 permit icmp <except_ip> 0.0.0.255 any 13 access-list 101 deny icmp any any 13 The above access rules will discard all Timestamp requests except those that are coming from your ISP, who's IP Address is <exxcept_ip>.
[*] Address Mask Request and Address Mask Reply Messages
Send an Address Mask Request message to the remote system once it's IP address is known, to the broadcast address of the network in which the system resides. After that we will receive an Address Mask Reply Message giving us the subnet address of the target machine.
FIG:Format of Address Mask Request and Address Mask Reply
<-----------8--------><----------8---------><-----------------------16----------------------->
|--------------------------------------------------------------------------------------------|
|:::TYPE(17 or 18):::|:::::CODE ( 0 ):::::::|:::::::::::::::::::CHECKSUM:::::::::::::::::::::|
|--------------------------------------------------------------------------------------------|
|:::::::::::::IDENTIFIER::::::::::::::::::::|:::::::::::::::::SEQUENCE NO.:::::::::::::::::::|
|--------------------------------------------------------------------------------------------|
|:::::::::::::::::::::::::::::::32 BIT SUBNET MASK:::::::::::::::::::::::::::::::::::::::::::|
|--------------------------------------------------------------------------------------------|
A utility called icmpquery exists which returns the subnet address.To block Address Request Queries -
access-list 101 permit icmp xx.xx.xx.xx 0.0.0.255 any 17
access-list 101 deny icmp any any 17
[*] Detecting Remote OS using ICMP
The response forsome particular ICMP messages depend upon the OS used at the remote system.There are many ICMP OS detection techniques. A very very brief introduction follows-
>>> ICMP Message Quoting :
Different OS fill in different amount of information in the error message generated.
>>> ICMP Error Message Quenching :
One can send UDP packet to a random unused port so that the remote host may generate and send back an ICMP unreachable error message..Operating Systems limit the rate at which error messages are sent.Thus by counting the number of messages received one can guess the OS used.Also we can determine the OS with the help of TOS(Type Of Service) field in the error message sent by the remote host.
>>> ICMP Error Message Echoing Integrity :
Certain systems are known to alter the IP Headers of the ICMP error messages sent back by them. If we analyze the extent and type of alterations made by the remote system in the IP header, we can deduce to a certain extend the operating system running on the target system
[*] Detecting Remote Firewall using ICMP
Firewalls can be detected using a unix system's popular utility traceroute. Asterix in the output signals a filtering device in the path.The other methods that can be adopted can be listed as -
1. Banner Grabbing
2. Using nmap
3. Port Scanning and looking for specific ports on which particular firewalls are known to run by default.
Preventive action can be taken by adding the ACL -
access-list 101 deny ip any any 11
[Edit this page] [Page history] [What links here] [Discuss this topic] [Printer Friendly]
ICMP
icmp internet protocol
[*] Overview of ICMP
The Internet Control Message Protocol is used to handle errors during transmissions. Formally this protocol is used for two types of operations:
> Reporting non-transient error conditions.
> Probing the network with request & reply messages in order to determine general characteristics about the network.
[*] Special Conitions
For the following conditions the ICMP protocol has strict rules of inner working which are defined in RFC 792:
- No ICMP Error messages are sent in response to ICMP Error messages to avoid
- For fragmented IP datagrams ICMP messages are only sent for errors on fragment zero (the first fragment).
- ICMP Error messages are never sent in response to a datagram that is destined to a broadcast or a multicast address.
- ICMP Error messages are never sent in response to a datagram sent as a link layer broadcast.
- ICMP Error messages are never sent in response to a datagram whose source address does not represents a unique host - the source IP address cannot be zero, a loopback address, a broadcast address or a multicast address.
- ICMP Error messages are never sent in response to an IGMP message of any kind. When an ICMP message of unknown type is received, it must be silently discarded.
- Routers will almost always generate ICMP messages but when it comes to a destination host(s), the number of ICMP messages generated is implementation dependent.
[*] Packet Formats
ICMP packets are transferred as IP datagrams. The following figures shows an IP datagram and an ICMP packet
FIG:IP DATAGRAM
-------------------------------------------------------------------------
|:::::::IP HEADER::::::|:::::::::::::::ICMP MESSAGE:::::::::::::::::::::|
-------------------------------------------------------------------------
<-------20 bytes------->
FIG:IP DATAGRAM
<--------8 bit--------><----------8 bit---------><-------------------16 bit----------------------->
---------------------------------------------------------------------------------------------------
|::::::::TYPE:::::::::|:::::::::CODE:::::::::::::|::::::::::::::::::CHECKSUM::::::::::::::::::::::|
---------------------------------------------------------------------------------------------------
|:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::|
|::::::::::::::::::::::::::::::::::::::::::DATA:::::::::::::::::::::::::::::::::::::::::::::::::::|
|:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::|
---------------------------------------------------------------------------------------------------
[*] The Type Field
_________________________________________________________________________________
---------------------------------------------------------------------------------
TYPE....NAME....................................CODE............................. _________________________________________________________________________________
0.......Echo Reply...............................................................
_________________________________________________________________________________
1.......Unassigned...............................................................
_________________________________________________________________________________
2.......Unassigned...............................................................
_________________________________________________________________________________
3.......Destination Unreachable.........00 Net Unreachable
........................................01 Host Unreachable
........................................02 Protocol Unreachable
........................................03 Port Unreachable
........................................04 Fragmentation Needed and .......................................... Don't Fragment was Set
........................................05 Source Route Failed
........................................06 Destination Network Unknown
........................................07 Destination Host Unknown
........................................08 Source Host Isolated
........................................09 Communication with Destination
...........................................Network is Administratively Prohibited
........................................10 Communication with Destination Host ...........................................is Administratively Prohibited
........................................11 Destination Network Unreachable
...........................................for Type of Service.
........................................12 Destination Host Unreachable
...........................................for Type of Service.
........................................13 Communication Administratively
...........................................Prohibited.
........................................14 Host Precedence Violation
........................................15 Precedence cutoff in effect
_________________________________________________________________________________
4.......Source Quelch...................0 No Code
_________________________________________________________________________________
5.......Redirect........................0 Redirect Datagram for the
..........................................Network (or subnet)
........................................1 Redirect Datagram for the Host
........................................2 Redirect Datagram for the
..........................................Type of Service & Network
........................................3 Redirect Datagram for the
..........................................Type of Service and Host
_________________________________________________________________________________
6.......Alternate Host Address..........0 Alternate Address for Host
_________________________________________________________________________________
7.......Unassigned
_________________________________________________________________________________
8.......Echo Request....................0 No Code
_________________________________________________________________________________
9.......Router Advertisement............0 No Code
_________________________________________________________________________________
10......Router Selection................0 No Code
_________________________________________________________________________________
11......Time Exceeded...................0 Time to Live exceeded in Transit
........................................1 Fragment Reassembly Time Exceeded
_________________________________________________________________________________
12......Parameter Problem...............0 Pointer indicates the error
........................................1 Missing a Required Option
........................................2 Bad Length
_________________________________________________________________________________
13......Timestamp.......................0 No Code
_________________________________________________________________________________
14......Timestamp Reply.................0 No Code
_________________________________________________________________________________
15 Information Request.............0 No Code (Obsolete)
_________________________________________________________________________________
16......Information Reply...............0 No Code (Obsolete)
_________________________________________________________________________________
17......Address Mask Request............0 No Code
_________________________________________________________________________________
18......Address Mask Reply..............0 No Code
_________________________________________________________________________________
19......Reserved (for Security).........0 No Code
_________________________________________________________________________________
//////////////////////20-29 reserved (for Robustness Experiment)/////////////////
_________________________________________________________________________________
30......Traceroute
_________________________________________________________________________________
31......Datagram Conversion Error
_________________________________________________________________________________
32......Mobile Host Redirect
_________________________________________________________________________________
33......IPv6 Where-Are-You
_________________________________________________________________________________
34......IPv6 I-Am-Here
_________________________________________________________________________________
35......Mobile Registration Request
_________________________________________________________________________________
36......Mobile Registration Reply
_________________________________________________________________________________
39......SKIP
_________________________________________________________________________________
40......Photuris.........................0 Reserved
.........................................1 unknown security parameters index
.........................................2 valid security parameters,
...........................................but authentication failed
.........................................3 valid security parameters,
...........................................but decryption failed
_________________________________________________________________________________
---------------------------------------------------------------------------------
As soon as TCP/IP senses an error in the data transfer,the client, server and the user process are informed about the details of the error encountered.
[*] Echo Request And Echo Reply
We can use these 2 types of messages to check whether the target machine is alive or not. We first send an Echo Request ICMP packet and then wait for Echo Reply. If it does arrive it means that the remote system is alive. However if Echo Reply doesnt arrive then it does not necessarily means that the remote system is dead as the remote machine may be equopped with a firewall or a filtering device that simply discard these requests. After the usual 4 bits the echo request/reply ICMP packet starts with a 2 byte identifier field to which the sender assigns the value of process ID of the sending process and then comes the 2 byte sequence number field. The receiver after receiving the request ICMP echoes back with data(unchanged) and sequence number field in the form of Echo Reply ICMP message.
Note :This can be easily obtained using ping
[*] Discarding Ping Requests
Echo Requests (including ping) are very frequently pumped into the internet. For security reasons sometimes it is essential to block these requests. These requests can be blocked by adding the following access list-
access-list 101 permit icmp <permitted_ip> 0.0.0.255 any 8
access-list 101 deny icmp any any 8
All echo requests would be discarded except for those coming from permitted_ip
[*] Timestamp Request And Timestamp Reply
One can ask a remote system the current time of the system which is returned in the form of no. of milliseconds since midnight, Coordinated Universal Time (UTC).
FIG:Format of timestamp reply (type : 14) and request (type : 13)
<----------8---------><------------8----------><------------------------16----------------------->
|------------------------------------------------------------------------------------------------|
|::TYPE(13 or 14)::::|::::::CODE ( 0 ):::::::::|::::::::::::::::::::CHECKSUM:::::::::::::::::::::|
|------------------------------------------------------------------------------------------------|
|:::::::::::::::IDENTIFIER:::::::::::::::::::::|:::::::::::::::::::SEQUENCE NO.::::::::::::::::::|
|------------------------------------------------------------------------------------------------|
|::::::::::::::::::::::::::::::::32 BIT ORIGINATE TIMESTAMP::::::::::::::::::::::::::::::::::::::|
|------------------------------------------------------------------------------------------------|
|:::::::::::::::::::::::::::::::::32 BIT RECEIVE TIMESTAMP:::::::::::::::::::::::::::::::::::::::|
|------------------------------------------------------------------------------------------------|
|:::::::::::::::::::::::::::::::::32 BIT TRANSMIT TIMESTAMP::::::::::::::::::::::::::::::::::::::|
|------------------------------------------------------------------------------------------------|
The sender sends this packet filling the 'originate timestamp' field with the time at which the packet is sent. The receiver then answers the query by filling the 'receive timestamp' field with the time at which the request packet was received and 'transmit timestamp' field with the time at which the packet is transmitted.Nowadays both these values contain the same time. Some versions of Windows NT do not respond to Timestamp queries.
[*] Countermeasures
By adding the following ACL-
access-list 101 permit icmp <except_ip> 0.0.0.255 any 13 access-list 101 deny icmp any any 13 The above access rules will discard all Timestamp requests except those that are coming from your ISP, who's IP Address is <exxcept_ip>.
[*] Address Mask Request and Address Mask Reply Messages
Send an Address Mask Request message to the remote system once it's IP address is known, to the broadcast address of the network in which the system resides. After that we will receive an Address Mask Reply Message giving us the subnet address of the target machine.
FIG:Format of Address Mask Request and Address Mask Reply
<-----------8--------><----------8---------><-----------------------16----------------------->
|--------------------------------------------------------------------------------------------|
|:::TYPE(17 or 18):::|:::::CODE ( 0 ):::::::|:::::::::::::::::::CHECKSUM:::::::::::::::::::::|
|--------------------------------------------------------------------------------------------|
|:::::::::::::IDENTIFIER::::::::::::::::::::|:::::::::::::::::SEQUENCE NO.:::::::::::::::::::|
|--------------------------------------------------------------------------------------------|
|:::::::::::::::::::::::::::::::32 BIT SUBNET MASK:::::::::::::::::::::::::::::::::::::::::::|
|--------------------------------------------------------------------------------------------|
A utility called icmpquery exists which returns the subnet address.To block Address Request Queries -
access-list 101 permit icmp xx.xx.xx.xx 0.0.0.255 any 17
access-list 101 deny icmp any any 17
[*] Detecting Remote OS using ICMP
The response forsome particular ICMP messages depend upon the OS used at the remote system.There are many ICMP OS detection techniques. A very very brief introduction follows-
>>> ICMP Message Quoting :
Different OS fill in different amount of information in the error message generated.
>>> ICMP Error Message Quenching :
One can send UDP packet to a random unused port so that the remote host may generate and send back an ICMP unreachable error message..Operating Systems limit the rate at which error messages are sent.Thus by counting the number of messages received one can guess the OS used.Also we can determine the OS with the help of TOS(Type Of Service) field in the error message sent by the remote host.
>>> ICMP Error Message Echoing Integrity :
Certain systems are known to alter the IP Headers of the ICMP error messages sent back by them. If we analyze the extent and type of alterations made by the remote system in the IP header, we can deduce to a certain extend the operating system running on the target system
[*] Detecting Remote Firewall using ICMP
Firewalls can be detected using a unix system's popular utility traceroute. Asterix in the output signals a filtering device in the path.The other methods that can be adopted can be listed as -
1. Banner Grabbing
2. Using nmap
3. Port Scanning and looking for specific ports on which particular firewalls are known to run by default.
Preventive action can be taken by adding the ACL -
access-list 101 deny ip any any 11
[Edit this page] [Page history] [What links here] [Discuss this topic] [Printer Friendly]
