Internet Control Message Protocol

By
Venkata Naga Chaturvedula
Thomson Erelli
Kiran Nukalapati

c
 ë out the Internet
Control Message Protocol
3 The Internet Control Message Protocol (ICMP)
protocol is classic example of a client server
application.

3 The Internet Control Message Protocol (ICMP)

is part of the Internet protocol suite and defined in
RFC 792
3 The ICMP server executes on all IP end system
computers and all IP intermediate systems (i.e
routers).
routers ).
˜
 ë out the Internet
Control Message Protocol
£ The protocol is used to report pro lems with delivery
of IP datagrams within an IP network.
£ It can e sued to show when a particular End system
is not responding, when an IP network is not
reacha le, when a node is overloaded, when an error
occurs in the IP header information, etc.
£ The protocol is also frequently used y Internet
managers to verify correct operations of End Systems
and to check that routers are correctly routing
packets to the specified destinations.

Œ
 ë out the Internet
Control Message Protocol

£ The Internet Protocol (IP) is used for host-

host-to
to--
host datagram service in a system of
interconnected networks called the Catenet.
Catenet

£ The network connecting devices are called

Gateways.

£ These gateways communicate etween

themselves for control purposes via a Gateway to
Gateway Protocol (GGP).


 ë out the Internet
Control Message Protocol

£rccasionally a gateway or destination host

will communicate with a source host, for
example, to report an error in datagram
processing.

£ ICMP, uses the asic support of IP as if it

were a higher level protocol, however, ICMP
is actually an integral part of IP, and must e
implemented y every IP module.

[
 Purpose of ICMP

The Internet Control Message Protocol is a

protocol for the exchange of error messages and
other vital information etween (Physical) Internet
entities such as hosts and routers.

‰
 ICMP in the TCP/IP protocol suite
ICMP is a network layer protocol, often it is placed next to
the IP protocol.

ICMP Header ICMP Data Area

IP Header IP Data Area

Frame Header Frame Area

ë
 ICMP in the TCP/IP protocol suite
£ ICMP lies just a ove IP, as ICMP messages are
carried inside IP Packets.

£ ICMP messages are carried as IP payload, just as

TCP/UDP segments are carried as IP payload

£ When a host receives an IP packet with ICMP

specified as the upper layer protocol, it de-
multiplexes the packet to ICMP, just as it would
demultiplex a packet to TCP/UDP.

ü
 ICMP functions
£ ënnounce network errors: such as a host or
entire portion of the network eing unreacha le,
due to some type of failure. ë TCP or UDP packet
directed at a port num er with no receiver
attached is also reported via ICMP.
£ ënnounce network congestion: When a
router egins uffering too many packets, due to
an ina ility to transmit them as fast as they are
eing received, it will generate ICMP Source
Quench messages. Directed at the sender, these
messages should cause the rate of packet
transmission to e slowed.


 ICMP functions
£ ëssist Trou leshooting: ICMP supports an Echo
function, which just sends a packet on a round--
round--trip
trip
etween two hosts. Ping
Ping,, a common network
management tool, is ased on this feature. Ping will
transmit a series of packets, measuring average round--
round--
trip times and computing loss percentages.

£ ënnounce Timeouts: If an IP packet's TTL field

drops to zero, the router discarding the packet will often
generate an ICMP packet announcing this fact.
TraceRoute is a tool which maps network routes y
sending packets with small TTL values and watching the
ICMP timeout announcements.

c
 ICMP ëpplications

There are two simple and widely used

applications which are ased on ICMP:

£ Ping
£ Traceroute.

cc
 ICMP ëpplications
£ PING: The ping utility checks whether a host is alive
& reacha le or not. This is done y sending an ICMP
Echo Request packet to the host, and waiting for an
ICMP Echo Reply from the host.
host
£ TRëCE RrUTE: Traceroute is a utility that records
the route (the specific gateway computers at each hop
hop))
through the Internet etween your computer and a
specified destination computer. It also calculates and
displays the amount of time each hop took.

c˜
ICMP Operation

cŒ
 ICMP datagram structure
The ICMP datagram, eing an IP datagram, contains the usual IP
header. This is followed y an ICMP header which varies slightly etween
the different types of ICMP message. The general format is shown
elow:

c
 ICMP Message Types

Type Message Type Description

ΠDestination Unreacha le Packet could not e delivered
11 Time Exceeded Time to live field hit 0
12 Parameter Pro lem Invalid header field
4 Source Quench Choke Packet
5 Redirect Teach a router a out geography
8 Echo ësk a machine if it is alive
0 Echo Reply Yes, I am alive
1ΠTimestamp Request Same as Echo request, ut with timestamp
14 Timestamp Reply Same as Echo reply, ut with timestamp

c[
 More about Message Types

£The DESTINëTIrN UNREëCHëBLE message is used when the su net or a

router cannot locate the destination.

£The TIME EXCEEDED message is sent when a packet is dropped ecause its
counter has reached zero. This event is symptom that packets are looping, that
there is enormous congestion, or that the timer values are eing set too low.

£The PëRëMETER PRrBLEM message indicates that an illegal value has een
detected in a header field. This pro lem indicates a ug in the sending hostƞs IP
software or possi ly in the software of a router transited.

£The SrURCE QUENCH message was formerly used to throttle hosts that were
sending too many packets. When a host received this message, it was expected
to slow down. It is rarely used any more when congestion occurs.

c‰
 More about Message Types

£The REDIRECT MESSëGE is used when a router notices that a packet seems to e
routed wrong. It is used y the router to tell the sending host a out the pro a le error.

£The ECHr and ECHr REPLY messages are used to see if a given destination is
reacha le and alive. Upon receiving the ECHr message, the destination is expected to
send an ECHr REPLY message ack.

£The TIMESTëMP REQUEST and TIMESTëMP REPLY messages are similar, except that
the arrival time of the message and the departure time of the reply are recorded in the
reply. This facility is used to measure network performance.

cë
?
e:
The exact meaning of the value contained within this field depends on the message
Type. For example, with an ICMP Type Πmessage ("Destination unreacha le"), a
Code value of 0 means "Network unreacha le", which implies a router failure. ë Code
of 1 means "Host unreacha le".

?ecksum:
The checksum field provides error detection for the ICMP header only and is
calculated in the same way as the IP header checksum.

Parameters:
The usage of this field depends on the type of message. For example, Type Œ
messages do not use this field, while Type 0 and 8 messages use the field to store an
identifier and sequence num er.

Data:
Typically, the data is the IP header and first 64 its of the original datagram, i.e. the
one that failed and prompted the ICMP message. Including the first 64 its of the
original datagram allows the ICMP message to e matched to the datagram that
caused it.
cü
 Destination Unreachable Codes

Code Definition
0 Net Unreacha le
1 Host Unreacha le
2 Protocol Unreacha le
ΠPort Unreacha le
4 Fragmentation needed & Donƞt Fragment was set
5 Source Route failed
6 Destination Network Unknown
7 Destination Host Unknown
8 Source Host Isolated
9 Communication Destination Network is ëdministratively Prohi ited
10 Communication Destination Host is ëdministratively Prohi ited
11 Destination Network Unreacha le for Type of Service
12 Destination Host Unreacha le for Type of Service
1Œ Communication ëdministratively Prohi ited
14 Host Precedence Violation
15 Precedence Cutoff Violation
c
 ½edirect Codes
Code Definition
0 Redirect Datagram for the Network (or su net)
1 Redirect Datagram for the Host
2 Redirect Datagram for the Type of Service & Network
ΠRedirect Datagram for the Type of Service & Host

Time Exceeded Codes Parameter Problem Codes

Code Definition Code Definition

0 Pointer Indicates the Error
0 Time to Live Exceeded in Transit
1 Missing a Required rption
1 Fragment Reassem ly Time Exceeded
2 Bad Length

˜
 Testing and
Troubleshooting Sequences for ICMP

3 ICMPƞs most common uses are testing and trou leshooting.

3 Two of the most well-

well-known utilities, PING and TRëCERrUTE, rely on
ICMP to perform connectivity tests and path discovery.

˜c
 Connectivity Testing with PING

3 The PING utility is actually an ICMP Echo process.

process.
3 ën ICMP Echo Request packet consists of an Ethernet header, IP
header, ICMP header, and some undefined data.
3 This packet is sent to the target host, which echoes ack that data, as
shown in Figure 4-
4-1.
3 The ICMP echo request is a connectionless process with no guarantee
of delivery.

˜˜
 Connectivity Testing with PING (Contd.)

3 Most PING utilities send a series of several echo requests to the target
in order to o tain an average response time.
3 These response times are displayed in milliseconds.
3 These times should e considered a snapshot of the current round-
round-trip
time.
3 The PING utility included with Windows 2000 sends a series of four
ICMP echo requests with a one-
one-second ICMP Echo Reply Timeout value

˜Œ
 PING Utility Uses ICMP
Echo ½equests and ½eplies

˜
Event Flow Diagram

˜[
£ The echo requests consist of 32 bytes of data (an alphabetical pattern)
in a fragmentable IP packet

Ping Utility provides feed ack on success and round-trip times

The command-line parameters used with PING can affect the

appearance and functionality of ICMP Echo packets.
˜‰
 Path Discovery with T½ACE½OUTE

£ The TRëCERrUTE utility identifies a path from the sender to the target
host using ICMP echo requests and some manipulation of the TTL value in
the IP header.
£ Traceroute starts y sending a UDP datagram to the destination host with
the TTL field set to 1. If a router finds a TTL value of 1 or 0, it drops the
datagram and sends ack an ICMP Time-Exceeded message to the sender.
£ Traceroute determines the address of the first hop y examining the
source address field of the ICMP Time-Exceeded message.

˜ë
 Path Discovery with T½ACE½OUTE (Contd.)

£ To identify the next hop, traceroute sends a UDP packet with a TTL
value of 2. The first router decrements the TTL field by 1 and sends
the datagram to the next router. The second router sees a TTL value
of 1, discards the datagram, and returns the Time-Exceeded
message to the source. This process continues until the TTL is
incremented to a value large enough for the datagram to reach the
destination host or until the maximum TTL is reached.

£To determine when a datagram reaches its destination, traceroute

sets the UDP destination port in the datagram to a very large value
that the destination host is unlikely to be using. When a host
receives a datagram with an unrecognized port number, it sends an
ICMP Port Unreachable error message to the source. The Port
Unreachable error message indicates to traceroute that the
destination has been reached.

˜ü
Event Flow
Diagram

˜
Vulnera ilities

Œ
 Vulnera ility Note VU#221164

rverview
ë vulnera ility in some Cisco Virtual Private Network (VPN) products could allow a
remote attacker to cause a denial of service.

Impact
ë denial-of-service condition can result from degraded performance or unexpected
re ooting of the affected device

Solution
Cisco Systems Inc. has released software patches and workaround information for
this vulnera ility.

Systems ëffected
Vendor Status Date Updated
Cisco Systems Inc. Vulnera le May-8-200Œ

Credit
Thanks to Cisco Systems Product Security Incident Response Team for reporting this
vulnera ility.
Œc
 Vulnera ility Note VU#918920

rverview
ë vulnera ility exists in multiple control cards used y Cisco rNS devices. This
vulnera ility could allow a remote attacker to cause a denial-of-service
condition.

Vulnera le
Cisco rNS 15Œ27 Edge rptical Transport Platform releases:
£ 4.6(0) and 4.6(1)
£ 4.1(0) to 4.1(Œ)
Not vulnrea le
Cisco rNS 15600 Multiservice Switching Platform

Impact
ë remote, unauthenticated attacker could cause control cards to reset on an
affected optical device. Repeated exploitation of this vulnera ility could result
in a denial of service.

Solution
They have upgraded and released the newer versions. Œ˜
 Vulnera ility Note VU#471084

rverview
The Linux 2.0 kernel contains a vulnera ility in the way it processes ICMP errors.
This could lead to portions of memory eing leaked to a malicious user.

Description
The Linux 2.0 kernel (versions 2.0 through 2.0.Œ9 inclusive) contains an error in the
calculation of the size for an ICMP citation. ë citation is created for ICMP error
responses. This miscalculation may lead to random data stored in memory eing
returned in the response.

Impact
Sensitive information may e leaked to an attacker.

Solution
Upgrade or apply a patch as necessary

Credit
Thanks to Philippe Biondi of Cartel Security for reporting this vulnera ility.

ŒŒ
Pro lem issues

Œ
 Pro lems
£ICMP redirect messages can e used to trick routers
and hosts acting as routers into using ``false'' routes;
these false routes would aid in directing traffic to an
attacker's system instead of a legitimate trusted
system.
£This could in turn lead to an attacker gaining access
to systems that normally would not permit connections
to the attacker's system or network.

£rlder versions of UNIX could drop all connections

etween two hosts even if only one connection was
experiencing network pro lems.
Œ[
Extensions

Œ‰
 Extensions

3 n order to support 
in

in
 tunneling, extends
the final field of selected  messages to
include a greater portion of the original
datagram.
3 An additional object is provided through
which octets 129 and beyond can be
appended to the  message.

Α
 Extensionsࣧ

3 As few datagrams contain L3 or L4 header

information beyond octet 128, it is unlikely
that the extensions described herein will
disable any applications that rely upon 
messages.

Ο
Security Issues

Œ
 Security Issues with ICMP

3 You can use ICMP as part of a reconnaissance

process to learn a out active network addresses and
active processes
3 These reconnaissance processes often precede a
network reak
reak--in
3 When hackers decide to infiltrate a network, they
typically start with a list of the IP hosts on the
network (unless the target is a single known system)


 Security Issues for ICMP

3 ën IP host pro e process is one method of o taining

a list of the active hosts on a network
3 The next step in the hack is a port pro e
3 rnce hackers know the addresses of the active
devices on the network, they can target their next
reconnaissance process, the port pro e, to those
devices
3 Because many systems do not reply to pings sent to
the roadcast address, typical IP host pro es are
sent unicast to each possi le address

c
 Security Issues

£ICMP messages must use an esta lished SëID. From a

destination host, this means an SëID must exist or e
esta lished on the fly even when an unprotected IP
message is source of the ICMP message.
£Certain ICMP messages can legitimately arrive from
any gateway along the route taken y an IP message
from source to destination host. To protect the ICMP
message, the source host must have an SëID with
that gateway. Potentially, this means a source host
must have an SëID with *every* gateway through
which its IP packets may pass.

˜
 Security Issues

3 very serious attacks with ICMP and against routing

protocols

Solutions exists ut are not applied!

3 strict traffic filtering against IP source address spoofing

(RFC 2267)
3 education of the network managers
3 cryptography: key management protocols not generally
adopted; standard Pu lic Key Infrastructure (PKI)
(PKI) not yet
agreed upon
Œ
Summary


 Summary

3 ICMP provides vital feed ack a out IP routing and

delivery pro lems

3 ëlthough ICMP messages fall within various well-well-

documented types, and ehave as a separate
protocol at the TCP/IP Network layer, ICMP is really
part and parcel of IP itself, and its support is required
in any standards-
standards-compliant IP implementation

[
 Summary

3 Two vital TCP/IP diagnostic utilities, known as PING

and TRëCERrUTE (invoked as TRëCERT in the
Windows environment), use ICMP to measure round-round-
trip times etween a sending and receiving host, and
to perform path discovery for a sending host and all
intermediate hosts or routers etween sender and
receiver
3 ICMP also supports Path MTU (PMTU) Discovery
etween a sender and a receiver, which helps to
optimize performance of data delivery etween pairs
or hosts y avoiding fragmentation en route
‰
 Summary

3 Route and routing error information from ICMP

derives from numerous types of ICMP messages

3 ICMP also supports route optimization through its

ICMP Redirect message type, ut this capa ility is
normally restricted only to trusted sources of
information ecause of potential security pro lems
that uncontrolled acceptance of such messages can
cause

ë
Conclusion

ü
 Conclusion

3 ëlthough ICMP has great positive value as a

diagnostic and reporting tool, those same capa ilities
can e turned to nefarious purposes as well, which
makes security issues for ICMP important.

3 Understanding the meaning and significance of the

ICMP Type and Code fields are essential to
recognizing individual ICMP messages and what they
are trying to communicate.


 ouestions

1.Why Source Quench message is rarely used?

Sol: When Congestion occurs, sending these packets increases the congestion.

2.When are ICMP Messages generated?

Sol: ICMP messages are typically generated in response to errors in IP
Datagrams or for diagnostic or routing purposes.

Œ.What is the draw ack of using the ping command?

Sol: The ping command will send an ECHr REQUEST datagram to a host or
network interface. rn reception, the packet is returned with an
ECHr RESPrNSE datagram. While this test does not verify that your server is
operating correctly, it does verify that the networking portion of it is reacha le.

[
 References

http://www.faqs.org (RFC 792)

http://www.ietf.org
http://www.iss.net
http://www.eventhelix.com

Ôooks

Steven M. Bellovin. Security Pro lems in the TCP/IP Protocol Suite. Computer
Communications Review

ëndrew S T
nen
Tanen
um, Computer Networks.

[c