By
Venkata Naga Chaturvedula
Thomson Erelli
Kiran Nukalapati
c
ë out the Internet
Control Message Protocol
3 The Internet Control Message Protocol (ICMP)
protocol is classic example of a client server
application.
ë out the Internet
Control Message Protocol
ë out the Internet
Control Message Protocol
[
Purpose of ICMP
ICMP in the TCP/IP protocol suite
ICMP is a network layer protocol, often it is placed next to
the IP protocol.
ë
ICMP in the TCP/IP protocol suite
£ ICMP lies just a ove IP, as ICMP messages are
carried inside IP Packets.
ü
ICMP functions
£ ënnounce network errors: such as a host or
entire portion of the network eing unreacha le,
due to some type of failure. ë TCP or UDP packet
directed at a port num er with no receiver
attached is also reported via ICMP.
£ ënnounce network congestion: When a
router egins uffering too many packets, due to
an ina ility to transmit them as fast as they are
eing received, it will generate ICMP Source
Quench messages. Directed at the sender, these
messages should cause the rate of packet
transmission to e slowed.
ICMP functions
£ ëssist Trou leshooting: ICMP supports an Echo
function, which just sends a packet on a round--
round--trip
trip
etween two hosts. Ping
Ping,, a common network
management tool, is ased on this feature. Ping will
transmit a series of packets, measuring average round--
round--
trip times and computing loss percentages.
c
ICMP ëpplications
£ Ping
£ Traceroute.
cc
ICMP ëpplications
£ PING: The ping utility checks whether a host is alive
& reacha le or not. This is done y sending an ICMP
Echo Request packet to the host, and waiting for an
ICMP Echo Reply from the host.
host
£ TRëCE RrUTE: Traceroute is a utility that records
the route (the specific gateway computers at each hop
hop))
through the Internet etween your computer and a
specified destination computer. It also calculates and
displays the amount of time each hop took.
c
ICMP Operation
c
ICMP datagram structure
The ICMP datagram, eing an IP datagram, contains the usual IP
header. This is followed y an ICMP header which varies slightly etween
the different types of ICMP message. The general format is shown
elow:
c
ICMP Message Types
c[
More about Message Types
£The TIME EXCEEDED message is sent when a packet is dropped ecause its
counter has reached zero. This event is symptom that packets are looping, that
there is enormous congestion, or that the timer values are eing set too low.
£The PëRëMETER PRrBLEM message indicates that an illegal value has een
detected in a header field. This pro lem indicates a ug in the sending hostƞs IP
software or possi ly in the software of a router transited.
£The SrURCE QUENCH message was formerly used to throttle hosts that were
sending too many packets. When a host received this message, it was expected
to slow down. It is rarely used any more when congestion occurs.
c
More about Message Types
£The REDIRECT MESSëGE is used when a router notices that a packet seems to e
routed wrong. It is used y the router to tell the sending host a out the pro a le error.
£The ECHr and ECHr REPLY messages are used to see if a given destination is
reacha le and alive. Upon receiving the ECHr message, the destination is expected to
send an ECHr REPLY message ack.
£The TIMESTëMP REQUEST and TIMESTëMP REPLY messages are similar, except that
the arrival time of the message and the departure time of the reply are recorded in the
reply. This facility is used to measure network performance.
cë
? e:
The exact meaning of the value contained within this field depends on the message
Type. For example, with an ICMP Type message ("Destination unreacha le"), a
Code value of 0 means "Network unreacha le", which implies a router failure. ë Code
of 1 means "Host unreacha le".
?ecksum:
The checksum field provides error detection for the ICMP header only and is
calculated in the same way as the IP header checksum.
Parameters:
The usage of this field depends on the type of message. For example, Type
messages do not use this field, while Type 0 and 8 messages use the field to store an
identifier and sequence num er.
Data:
Typically, the data is the IP header and first 64 its of the original datagram, i.e. the
one that failed and prompted the ICMP message. Including the first 64 its of the
original datagram allows the ICMP message to e matched to the datagram that
caused it.
cü
Destination Unreachable Codes
Code Definition
0 Net Unreacha le
1 Host Unreacha le
2 Protocol Unreacha le
Port Unreacha le
4 Fragmentation needed & Donƞt Fragment was set
5 Source Route failed
6 Destination Network Unknown
7 Destination Host Unknown
8 Source Host Isolated
9 Communication Destination Network is ëdministratively Prohi ited
10 Communication Destination Host is ëdministratively Prohi ited
11 Destination Network Unreacha le for Type of Service
12 Destination Host Unreacha le for Type of Service
1 Communication ëdministratively Prohi ited
14 Host Precedence Violation
15 Precedence Cutoff Violation
c
½edirect Codes
Code Definition
0 Redirect Datagram for the Network (or su net)
1 Redirect Datagram for the Host
2 Redirect Datagram for the Type of Service & Network
Redirect Datagram for the Type of Service & Host
Testing and
Troubleshooting Sequences for ICMP
c
Connectivity Testing with PING
Connectivity Testing with PING (Contd.)
3 Most PING utilities send a series of several echo requests to the target
in order to o tain an average response time.
3 These response times are displayed in milliseconds.
3 These times should e considered a snapshot of the current round-
round-trip
time.
3 The PING utility included with Windows 2000 sends a series of four
ICMP echo requests with a one-
one-second ICMP Echo Reply Timeout value
PING Utility Uses ICMP
Echo ½equests and ½eplies
Event Flow Diagram
[
£ The echo requests consist of 32 bytes of data (an alphabetical pattern)
in a fragmentable IP packet
£ The TRëCERrUTE utility identifies a path from the sender to the target
host using ICMP echo requests and some manipulation of the TTL value in
the IP header.
£ Traceroute starts y sending a UDP datagram to the destination host with
the TTL field set to 1. If a router finds a TTL value of 1 or 0, it drops the
datagram and sends ack an ICMP Time-Exceeded message to the sender.
£ Traceroute determines the address of the first hop y examining the
source address field of the ICMP Time-Exceeded message.
ë
Path Discovery with T½ACE½OUTE (Contd.)
£ To identify the next hop, traceroute sends a UDP packet with a TTL
value of 2. The first router decrements the TTL field by 1 and sends
the datagram to the next router. The second router sees a TTL value
of 1, discards the datagram, and returns the Time-Exceeded
message to the source. This process continues until the TTL is
incremented to a value large enough for the datagram to reach the
destination host or until the maximum TTL is reached.
ü
Event Flow
Diagram
Vulnera ilities
Vulnera ility Note VU#221164
rverview
ë vulnera ility in some Cisco Virtual Private Network (VPN) products could allow a
remote attacker to cause a denial of service.
Impact
ë denial-of-service condition can result from degraded performance or unexpected
re ooting of the affected device
Solution
Cisco Systems Inc. has released software patches and workaround information for
this vulnera ility.
Systems ëffected
Vendor Status Date Updated
Cisco Systems Inc. Vulnera le May-8-200
Credit
Thanks to Cisco Systems Product Security Incident Response Team for reporting this
vulnera ility.
c
Vulnera ility Note VU#918920
rverview
ë vulnera ility exists in multiple control cards used y Cisco rNS devices. This
vulnera ility could allow a remote attacker to cause a denial-of-service
condition.
Vulnera le
Cisco rNS 1527 Edge rptical Transport Platform releases:
£ 4.6(0) and 4.6(1)
£ 4.1(0) to 4.1()
Not vulnrea le
Cisco rNS 15600 Multiservice Switching Platform
Impact
ë remote, unauthenticated attacker could cause control cards to reset on an
affected optical device. Repeated exploitation of this vulnera ility could result
in a denial of service.
Solution
They have upgraded and released the newer versions.
Vulnera ility Note VU#471084
rverview
The Linux 2.0 kernel contains a vulnera ility in the way it processes ICMP errors.
This could lead to portions of memory eing leaked to a malicious user.
Description
The Linux 2.0 kernel (versions 2.0 through 2.0.9 inclusive) contains an error in the
calculation of the size for an ICMP citation. ë citation is created for ICMP error
responses. This miscalculation may lead to random data stored in memory eing
returned in the response.
Impact
Sensitive information may e leaked to an attacker.
Solution
Upgrade or apply a patch as necessary
Credit
Thanks to Philippe Biondi of Cartel Security for reporting this vulnera ility.
Pro lem issues
Pro lems
£ICMP redirect messages can e used to trick routers
and hosts acting as routers into using ``false'' routes;
these false routes would aid in directing traffic to an
attacker's system instead of a legitimate trusted
system.
£This could in turn lead to an attacker gaining access
to systems that normally would not permit connections
to the attacker's system or network.
Extensions
ë
Extensionsࣧ
ü
Security Issues
Security Issues with ICMP
Security Issues for ICMP
c
Security Issues
Security Issues
Summary
[
Summary
ë
Conclusion
ü
Conclusion
ouestions
Sol: The ping command will send an ECHr REQUEST datagram to a host or
network interface. rn reception, the packet is returned with an
ECHr RESPrNSE datagram. While this test does not verify that your server is
operating correctly, it does verify that the networking portion of it is reacha le.
[
References
Ôooks
Steven M. Bellovin. Security Pro lems in the TCP/IP Protocol Suite. Computer
Communications Review
ëndrew S Tnen
Tanen um, Computer Networks.
[c