ICMP was designed to act as a messenger for logical errors and diagnostics. It is addressed in detail in RFC 792. Any IP network device has the capability to send, receive, or process ICMP messages. The designers of ICMP never considered the security issues we must deal with today, but they did set some ground rules for ICMP to work efficiently.
- To make sure that ICMP messages wouldn't flood an IP network, ICMP is not given any special priority and is always treated as normal traffic.
- ICMP messages cannot be sent in response to other ICMP messages. This design mechanism was intended to prevent situations where one error message creates another, and another, and another. That would be a real problem!
- ICMP was not designed to be sent in response to multicast or broadcast traffic.
With some of the ground rules of ICMP out of the way, let's turn our attention to the format of the ICMP header. ICMP is designed so that the header contains a type and code field. Common ICMP types include the following:
|0||Echo Reply (Ping)|
|6||Alternate Host Address|
|8||Echo Request (Ping)|
Together, the type and code fields can be used to determine the reason for the ICMP message. As an example, a type 3 is a destination unreachable. There are 16 unique codes for type 3 messages. The code identifies the specific reason why the destination is unreachable; this could include a problem with the network (a code 0), a router blocking the packet (a code 13), or even that the application is not running on the destination computer (a code 3). The most common ICMP message type is an 8/0, which is an echo request/reply (ping).
There are many network tools built around ICMP. Traceroute is an example of this. Traceroute works by sending sequentially numbered IP TTL packets while looking for ICMP TTL exceeded messages returned. By its very design, you can see that ICMP can be a very useful network tool. Unfortunately, it is also one of the most used and abused protocols. Now, let's look at some of the ways ICMP is misused.
Abuse of ICMP
Earlier, I described ping as a basic connectivity tool. It's widely used by hackers to verify connectivity before an attack. You cannot attack a system that isn't up and running -- and ping provides a perfect way to check that a system is alive. This has become so much of a problem that many networks now block incoming initiated pings. Although this is a good start, it does not completely eliminate the problem. An example of this can be seen in the covert tool Loki.
Released in 1996 in the underground magazine Phrak, Loki was a proof-of-concept tool. If installed on an internal computer, Loki can use ICMP to phone home to the hacker outside of the network. The administrator sees only outbound initiated ping traffic, but the attacker has in reality set up a covert channel. The ICMP protocol is being used for messaging. Blocking both inbound and outbound ICMP at the firewall will eliminate this problem.
Another ICMP-related problem is the potential of its use in a denial of Service (DoS) attack. An example of this can be seen in Smurf. Smurf uses ping packets to abuse ICMP. It sends malformed ICMP packets. It alters the destination address so that the packet is sent to the broadcast address of a network node. The source address has been altered to be pointed to the victim of the attack. On a large network, many systems will reply to this broadcast ping. The attack results in the victim being flooded with a stream of ping responses so that legitimate access is blocked. A similar type of attack was launched against core DNS servers in 2002. Administrators can prevent their networks from being used to bounce Smurf traffic by adding the following command in their Cisco routers:
no ip directed-broadcast.
ICMP can also be used to aid in port scanning and in OS identification. This is also called fingerprinting. It's a required step of the attack process. After all, an attacker cannot target a system successfully without knowing what it's running. As an example, the attacker may have an exploit against Windows XP, yet this exploit would be worthless against a Windows 2003 system. Fingerprinting is used to identify the OS. When fingerprinting is attempted, the attacker will use a scanning tool to send a series of normal, unusual and then malformed ICMP queries to the targeted system. The scanning tool then observes the responses and compares them to a database.
About the author:
Michael Gregg has been involved in IT and network security for more than 15 years. He is the founder and CTO of Superior Solutions Inc., a risk-assessment and security consulting firm. He has developed high-level security classes and written six books; the most recent is Hack the Stack: The Eight Layers of an Insecure Network.
This was first published in November 2006