Internet Control Message Protocol
Download
Report
Transcript Internet Control Message Protocol
Internet Control Message Protocol
By
Venkata Naga Chaturvedula
Thomson Erelli
Kiran Nukalapati
1
About the Internet
Control Message Protocol
The Internet Control Message Protocol (ICMP)
protocol is classic example of a client server
application.
The Internet Control Message Protocol (ICMP)
is part of the Internet protocol suite and defined in
RFC 792
The ICMP server executes on all IP end system
computers and all IP intermediate systems (i.e
routers).
2
About the Internet
Control Message Protocol
The protocol is used to report problems with delivery
of IP datagrams within an IP network.
It can be sued to show when a particular End system
is not responding, when an IP network is not
reachable, when a node is overloaded, when an error
occurs in the IP header information, etc.
The protocol is also frequently used by Internet
managers to verify correct operations of End Systems
and to check that routers are correctly routing
packets to the specified destinations.
3
About the Internet
Control Message Protocol
The Internet Protocol (IP) is used for host-tohost datagram service in a system of
interconnected networks called the Catenet.
The network connecting devices are called
Gateways.
These gateways communicate between
themselves for control purposes via a Gateway to
Gateway Protocol (GGP).
4
About the Internet
Control Message Protocol
Occasionally a gateway or destination host
will communicate with a source host, for
example, to report an error in datagram
processing.
ICMP, uses the basic support of IP as if it
were a higher level protocol, however, ICMP
is actually an integral part of IP, and must be
implemented by every IP module.
5
Purpose of ICMP
The Internet Control Message Protocol is a
protocol for the exchange of error messages and
other vital information between (Physical) Internet
entities such as hosts and routers.
6
ICMP in the TCP/IP protocol suite
ICMP is a network layer protocol, often it is placed next to
the IP protocol.
ICMP Header
IP Header
Frame Header
ICMP Data Area
IP Data Area
Frame Area
7
ICMP in the TCP/IP protocol suite
ICMP lies just above IP, as ICMP messages are
carried inside IP Packets.
ICMP messages are carried as IP payload, just as
TCP/UDP segments are carried as IP payload
When a host receives an IP packet with ICMP
specified as the upper layer protocol, it demultiplexes the packet to ICMP, just as it would
demultiplex a packet to TCP/UDP.
8
ICMP functions
Announce network errors: such as a host or
entire portion of the network being unreachable,
due to some type of failure. A TCP or UDP packet
directed at a port number with no receiver
attached is also reported via ICMP.
Announce network congestion: When a
router begins buffering too many packets, due to
an inability to transmit them as fast as they are
being received, it will generate ICMP Source
Quench messages. Directed at the sender, these
messages should cause the rate of packet
transmission to be slowed.
9
ICMP functions
Assist Troubleshooting: ICMP supports an Echo
function, which just sends a packet on a round--trip
between two hosts. Ping, a common network
management tool, is based on this feature. Ping will
transmit a series of packets, measuring average round-trip times and computing loss percentages.
Announce Timeouts: If an IP packet's TTL field
drops to zero, the router discarding the packet will often
generate an ICMP packet announcing this fact.
TraceRoute is a tool which maps network routes by
sending packets with small TTL values and watching the
ICMP timeout announcements.
10
ICMP Applications
There are two simple and widely used
applications which are based on ICMP:
Ping
Traceroute.
11
ICMP Applications
PING: The ping utility checks whether a host is alive
& reachable or not. This is done by sending an ICMP
Echo Request packet to the host, and waiting for an
ICMP Echo Reply from the host.
TRACE ROUTE: Traceroute is a utility that records the
route (the specific gateway computers at each hop)
through the Internet between your computer and a
specified destination computer. It also calculates and
displays the amount of time each hop took.
12
ICMP Operation
13
ICMP datagram structure
The ICMP datagram, being an IP datagram, contains the usual IP header.
This is followed by an ICMP header which varies slightly between the
different types of ICMP message. The general format is shown below:
14
ICMP Message Types
Type Message Type
Description
3
Destination Unreachable
Packet could not be delivered
11
Time Exceeded
Time to live field hit 0
12
Parameter Problem
Invalid header field
4
Source Quench
Choke Packet
5
Redirect
Teach a router about geography
8
Echo
Ask a machine if it is alive
0
Echo Reply
Yes, I am alive
13
Timestamp Request
Same as Echo request, but with timestamp
14
Timestamp Reply
Same as Echo reply, but with timestamp
15
More about Message Types
The DESTINATION UNREACHABLE message is used when the subnet or a
router cannot locate the destination.
The TIME EXCEEDED message is sent when a packet is dropped because its
counter has reached zero. This event is symptom that packets are looping, that
there is enormous congestion, or that the timer values are being set too low.
The PARAMETER PROBLEM message indicates that an illegal value has been
detected in a header field. This problem indicates a bug in the sending host’s IP
software or possibly in the software of a router transited.
The SOURCE QUENCH message was formerly used to throttle hosts that were
sending too many packets. When a host received this message, it was expected
to slow down. It is rarely used any more when congestion occurs.
16
More about Message Types
The REDIRECT MESSAGE is used when a router notices that a packet seems to be
routed wrong. It is used by the router to tell the sending host about the probable error.
The ECHO and ECHO REPLY messages are used to see if a given destination is
reachable and alive. Upon receiving the ECHO message, the destination is expected to
send an ECHO REPLY message back.
The TIMESTAMP REQUEST and TIMESTAMP REPLY messages are similar, except that
the arrival time of the message and the departure time of the reply are recorded in the
reply. This facility is used to measure network performance.
17
Code:
The exact meaning of the value contained within this field depends on the message
Type. For example, with an ICMP Type 3 message ("Destination unreachable"), a
Code value of 0 means "Network unreachable", which implies a router failure. A Code
of 1 means "Host unreachable".
Checksum:
The checksum field provides error detection for the ICMP header only
calculated in the same way as the IP header checksum.
and is
Parameters:
The usage of this field depends on the type of message. For example, Type 3
messages do not use this field, while Type 0 and 8 messages use the field to store an
identifier and sequence number.
Data:
Typically, the data is the IP header and first 64 bits of the original datagram, i.e. the
one that failed and prompted the ICMP message. Including the first 64 bits of the
original datagram allows the ICMP message to be matched to the datagram that
caused it.
18
Destination Unreachable Codes
Code
Definition
0
Net Unreachable
1
Host Unreachable
2
Protocol Unreachable
3
Port Unreachable
4
Fragmentation needed & Don’t Fragment was set
5
Source Route failed
6
Destination Network Unknown
7
Destination Host Unknown
8
Source Host Isolated
9
Communication Destination Network is Administratively Prohibited
10
Communication Destination Host is Administratively Prohibited
11
Destination Network Unreachable for Type of Service
12
Destination Host Unreachable for Type of Service
13
Communication Administratively Prohibited
14
Host Precedence Violation
15
Precedence Cutoff Violation
19
Redirect Codes
Code
Definition
0
Redirect Datagram for the Network (or subnet)
1
Redirect Datagram for the Host
2
Redirect Datagram for the Type of Service & Network
3
Redirect Datagram for the Type of Service & Host
Time Exceeded Codes
Code
Definition
0
Time to Live Exceeded in Transit
1
Fragment Reassembly Time Exceeded
Parameter Problem Codes
Code
Definition
0
Pointer Indicates the Error
1
Missing a Required Option
2
Bad Length
20
Testing and
Troubleshooting Sequences for ICMP
ICMP’s most common uses are testing and troubleshooting.
Two of the most well-known utilities, PING and TRACEROUTE, rely on
ICMP to perform connectivity tests and path discovery.
21
Connectivity Testing with PING
The PING utility is actually an ICMP Echo process.
An ICMP Echo Request packet consists of an Ethernet header, IP
header, ICMP header, and some undefined data.
This packet is sent to the target host, which echoes back that data, as
shown in Figure 4-1.
The ICMP echo request is a connectionless process with no guarantee
of delivery.
22
Connectivity Testing with PING (Contd.)
Most PING utilities send a series of several echo requests to the target
in order to obtain an average response time.
These response times are displayed in milliseconds.
These times should be considered a snapshot of the current round-trip
time.
The PING utility included with Windows 2000 sends a series of four
ICMP echo requests with a one-second ICMP Echo Reply Timeout value
23
PING Utility Uses ICMP
Echo Requests and Replies
24
Event Flow Diagram
25
The echo requests consist of 32 bytes of data (an alphabetical pattern)
in a fragmentable IP packet
Ping Utility provides feedback on success and round-trip times
The command-line parameters used with PING can affect the
appearance and functionality of ICMP Echo packets.
26
Path Discovery with TRACEROUTE
The TRACEROUTE utility identifies a path from the sender to the target
host using ICMP echo requests and some manipulation of the TTL value in
the IP header.
Traceroute starts by sending a UDP datagram to the destination host with
the TTL field set to 1. If a router finds a TTL value of 1 or 0, it drops the
datagram and sends back an ICMP Time-Exceeded message to the sender.
Traceroute determines the address of the first hop by examining the source
address field of the ICMP Time-Exceeded message.
27
Path Discovery with TRACEROUTE (Contd.)
To identify the next hop, traceroute sends a UDP packet with a TTL
value of 2. The first router decrements the TTL field by 1 and sends
the datagram to the next router. The second router sees a TTL value
of 1, discards the datagram, and returns the Time-Exceeded
message to the source. This process continues until the TTL is
incremented to a value large enough for the datagram to reach the
destination host or until the maximum TTL is reached.
To determine when a datagram reaches its destination, traceroute
sets the UDP destination port in the datagram to a very large value
that the destination host is unlikely to be using. When a host
receives a datagram with an unrecognized port number, it sends an
ICMP Port Unreachable error message to the source. The Port
Unreachable error message indicates to traceroute that the
destination has been reached.
28
Event Flow
Diagram
29
Vulnerabilities
30
Vulnerability Note VU#221164
Overview
A vulnerability in some Cisco Virtual Private Network (VPN) products could allow a
remote attacker to cause a denial of service.
Impact
A denial-of-service condition can result from degraded performance or unexpected
rebooting of the affected device
Solution
Cisco Systems Inc. has released software patches and workaround information for
this vulnerability.
Systems Affected
Vendor
Cisco Systems Inc.
Status
Vulnerable
Date Updated
May-8-2003
Credit
Thanks to Cisco Systems Product Security Incident Response Team for reporting this
vulnerability.
31
Vulnerability Note VU#918920
Overview
A vulnerability exists in multiple control cards used by Cisco ONS devices. This
vulnerability could allow a remote attacker to cause a denial-of-service
condition.
Vulnerable
Cisco ONS 15327 Edge Optical Transport Platform releases:
4.6(0) and 4.6(1)
4.1(0) to 4.1(3)
Not vulnreable
Cisco ONS 15600 Multiservice Switching Platform
Impact
A remote, unauthenticated attacker could cause control cards to reset on an
affected optical device. Repeated exploitation of this vulnerability could result
in a denial of service.
Solution
They have upgraded and released the newer versions.
32
Vulnerability Note VU#471084
Overview
The Linux 2.0 kernel contains a vulnerability in the way it processes ICMP errors.
This could lead to portions of memory being leaked to a malicious user.
Description
The Linux 2.0 kernel (versions 2.0 through 2.0.39 inclusive) contains an error in the
calculation of the size for an ICMP citation. A citation is created for ICMP error
responses. This miscalculation may lead to random data stored in memory being
returned in the response.
Impact
Sensitive information may be leaked to an attacker.
Solution
Upgrade or apply a patch as necessary
Credit
Thanks to Philippe Biondi of Cartel Security for reporting this vulnerability.
33
Problem issues
34
Problems
ICMP redirect messages can be used to trick routers
and hosts acting as routers into using ``false'' routes;
these false routes would aid in directing traffic to an
attacker's system instead of a legitimate trusted
system.
This could in turn lead to an attacker gaining access
to systems that normally would not permit connections
to the attacker's system or network.
Older versions of UNIX could drop all connections
between two hosts even if only one connection was
experiencing network problems.
35
Extensions
36
Extensions
In order to support IP-in-IP tunneling, extends
the final field of selected ICMP messages to
include a greater portion of the original
datagram.
An additional object is provided through
which octets 129 and beyond can be
appended to the ICMP message.
37
Extensions…
As few datagrams contain L3 or L4 header
information beyond octet 128, it is unlikely
that the extensions described herein will
disable any applications that rely upon ICMP
messages.
38
Security Issues
39
Security Issues with ICMP
You can use ICMP as part of a reconnaissance
process to learn about active network addresses and
active processes
These reconnaissance processes often precede a
network break-in
When hackers decide to infiltrate a network, they
typically start with a list of the IP hosts on the
network (unless the target is a single known system)
40
Security Issues for ICMP
An IP host probe process is one method of obtaining
a list of the active hosts on a network
The next step in the hack is a port probe
Once hackers know the addresses of the active
devices on the network, they can target their next
reconnaissance process, the port probe, to those
devices
Because many systems do not reply to pings sent to
the broadcast address, typical IP host probes are
sent unicast to each possible address
41
Security Issues
ICMP messages must use an established SAID. From a
destination host, this means an SAID must exist or be
established on the fly even when an unprotected IP
message is source of the ICMP message.
Certain ICMP messages can legitimately arrive from
any gateway along the route taken by an IP message
from source to destination host. To protect the ICMP
message, the source host must have an SAID with
that gateway. Potentially, this means a source host must
have an SAID with *every* gateway through which its
IP packets may pass.
42
Security Issues
very serious attacks with ICMP and against routing
protocols
Solutions exists but are not applied!
strict traffic filtering against IP source address spoofing
(RFC 2267)
education of the network managers
cryptography: key management protocols not generally
adopted; standard Public Key Infrastructure (PKI) not yet
agreed upon
43
Summary
44
Summary
ICMP provides vital feedback about IP routing and
delivery problems
Although ICMP messages fall within various welldocumented types, and behave as a separate
protocol at the TCP/IP Network layer, ICMP is really
part and parcel of IP itself, and its support is required
in any standards-compliant IP implementation
45
Summary
Two vital TCP/IP diagnostic utilities, known as PING
and TRACEROUTE (invoked as TRACERT in the
Windows environment), use ICMP to measure roundtrip times between a sending and receiving host, and
to perform path discovery for a sending host and all
intermediate hosts or routers between sender and
receiver
ICMP also supports Path MTU (PMTU) Discovery
between a sender and a receiver, which helps to
optimize performance of data delivery between pairs
or hosts by avoiding fragmentation en route
46
Summary
Route and routing error information from ICMP
derives from numerous types of ICMP messages
ICMP also supports route optimization through its
ICMP Redirect message type, but this capability is
normally restricted only to trusted sources of
information because of potential security problems
that uncontrolled acceptance of such messages can
cause
47
Conclusion
48
Conclusion
Although ICMP has great positive value as a
diagnostic and reporting tool, those same capabilities
can be turned to nefarious purposes as well, which
makes security issues for ICMP important.
Understanding the meaning and significance of the
ICMP Type and Code fields are essential to
recognizing individual ICMP messages and what they
are trying to communicate.
49
Questions
1.Why Source Quench message is rarely used?
Sol: When Congestion occurs, sending these packets increases the congestion.
2.When are ICMP Messages generated?
Sol: ICMP messages are typically generated in response to errors in IP
Datagrams or for diagnostic or routing purposes.
3.What is the drawback of using the ping command?
Sol: The ping command will send an ECHO_REQUEST datagram to a host or
network interface. On reception, the packet is returned with an
ECHO_RESPONSE datagram. While this test does not verify that your server is
operating correctly, it does verify that the networking portion of it is reachable.
50
References
http://www.faqs.org (RFC 792)
http://www.ietf.org
http://www.iss.net
http://www.eventhelix.com
Books
Steven M. Bellovin. Security Problems in the TCP/IP Protocol Suite. Computer
Communications Review
Andrew S Tanenbaum, Computer Networks.
51