The Internet Control Message Protocol (ICMP) was developed alongside the entire TCP/IP protocol suite as a tool for exchanging simple messages between devices. The messages can indicate that services or hosts are unavailable or the messages can be used to test connectivity between devices.
Unfortunately, ICMP is trusting -- not requiring any authentication between devices. This trusting nature can be exploited in a number of ways. ICMP-based network scans and exploits are often used to identify networking devices, applications or operating systems and attack network systems.
ICMP echo attacks
The DNS attacks of October 2002 were based on an old ICMP attack trick.
Numerous computers sent ICMP echo requests (also referred to as 'pings') to the root DNS servers. Since 12 of the 13 root DNS servers had ICMP ping enabled on them, they had to respond to each of these echo requests.
This, in effect, was a large-scale distributed denial of service attack using a simplistic connection testing routing. As of the time this article was written, only 10 of the DNS servers still process and respond to ICMP echo requests -- hopefully we will learn from the October 2002 attack and shut down ICMP echo processes on all 13 root DNS servers.
I advise clients to turn off ICMP echo response on all key devices within a company network and on the boarder of the Internet connection.
ICMP for service scanning
ICMP can be used to identify some services running on network systems as well.
If a UDP-based (User Datagram Protocol) communication is sent to a device that does not support the destination application, a "Destination Unreachable/Port Unreachable" ICMP message may be returned. The scanning system now knows that the application is not supported on the target.
For example, to determine whether DNS (Domain Name System) is supported on a target machine, a packet addressed to the DNS service (port 53) could be sent to the target. If the target sends back an ICMP Destination Unreachable/Port Unreachable message, we can figure that the target does not support DNS services. If any other response is received, we can conclude that the target does indeed support DNS services.
By scanning an entire network and listening to the ICMP responses, we can easily locate running services on a network. This technique is used by many scanning and multifunction tools such as nMap, LANGuard, and NetScanTools.
ICMP can be used to redirect traffic that is routed on a network.
This can cause a disruption in communications or enable a sniffer to listen in on traffic that normally would not be routed in the sniffer's direction. (Note that in this article, I am using the term 'sniffer' to denote a general packet analyzer -- I'm not referring specifically to the Sniffer Network Analyzer by Network Associates (although that tool would do nicely in this example.)
Redirection is normally used when a client sends data to a router that does not offer the best path to the destination. The receiving router sends an ICMP redirection message to a client to point the sender to another router on the network. The information is cached on the client's station (readable through the ROUTE PRINT command) and used the next time the client wants to communicate to the original destination network.
ICMP protocol poster
Ms. Chappell's ICMP protocol poster can be downloaded from www.packet-level.com and printed in 2'x3' size.
ICMP for OS fingerprinting
OS fingerprinting is the process of determining the operating system of a target.
Knowing this information is key when someone is planning an OS-specific attack. There are two types of OS fingerprinting techniques -- passive and active. Passive fingerprinting tools do not send any traffic on the wire -- they only listen and make decisions on the OS types based on what they hear.
Active OS fingerprinting tools, however, send a series of communications to the target. One of the key elements of active OS fingerprinting tools is ICMP. These active OS fingerprinting tools send a series of normal, malformed and unusual ICMP queries to a target and listen to the responses.
Figure 1 below shows the type of traffic seen on a network sniffer when an OS fingerprinting operation is underway.
Figure 1: Notice the ICMP packet with an invalid code, the ICMP Get address, ICMP Get timestamp, and ICMP Get information packets used in a LANGuard OS fingerprinting operation. Note: This trace is available online at http://www.packet-level.com/traceFiles.htm.
The basic functionality of ICMP is documented in RFC (Request for Comment) 792 that can be found online at www.ietf.org. Reading this document can give you a basic overview of the different types of ICMP operations.
Given the popularity of ICMP amongst the hacking community, I highly recommend that you get familiar with this useful (but often harmful) protocol.
Laura Chappell is the Senior Protocol Analyst for the Protocol Analysis Institute. She is the author of numerous books and self-paced courseware available online at www.packet-level.com and www.podbooks.com.