The Internet Control Message Protocol (ICMP) was developed along side the entire TCP/IP protocol suite as tool for exchanging simple messages between devices. The messages can indicate that services or hosts are unavailable or the messages can be used to test connectivity between devices.
Unfortunately, ICMP is trusting – not requiring any authentication between devices. This trusting nature can be exploited in a number of ways. ICMP-based network scans and exploits are often used to identify networking devices, applications or operating systems and attack network systems.
ICMP Echo Attacks
The DNS attacks of October 2002 were based on an old ICMP attack trick.
Numerous computers sent ICMP echo requests (also referred to as pings’) to the root DNS servers. Since 12 of the 13 root DNS servers had ICMP ping enabled on them, they had to respond to each of these echo requests.
This, in effect, was a large-scale distributed denial of service attack using a simplistic connection testing routing. As the time this article was written, only 10 of the DNS servers still process and respond to ICMP echo requests – hopefully we will learn from the October 2002 attack and shut down ICMP echo processes on all 13 root DNS servers.
I advise clients to turn off ICMP echo response on all key devices within a company network and on the boarder of the Internet connection.
ICMP for Service Scanning
ICMP can be used to identify some services running on network systems as well.
If a UDP-based (User Datagram Protocol) communication is sent to a device that does not support the destination application, a “Destination Unreachable/Port Unreachable” ICMP message may be returned. The scanning system now knows that the application is not supported on the target.
For example, to determine whether DNS (Domain Name System) is supported on a target machine, a packet addressed to the DNS service (port 53) could be sent to the target. If the target sends back an ICMP Destination Unreachable/Port Unreachable message, we can figure that the target does not support DNS services. If any other response is received, we can conclude that the target does indeed support DNS services.
By scanning an entire network and listening to the ICMP responses, we can easily locate running services on a network. This technique is used by many scanning and multifunction tools such as nMap, LANGuard, and NetScanTools.
ICMP Redirection
ICMP can be used to redirect traffic that is routed on a network.
This can cause a disruption in communications or enable a sniffer to listen in on traffic that normally would not be routed in the sniffer’s direction.
Redirection is normally used when a client sends data to a router that does not offer the best path to the destination. The receiving router sends an ICMP redirection message to a client to point the sender to another router on the network. The information is cached on the client’s station (readable through the ROUTE PRINT command) and used the next time the client wants to communicate to the original destination network.
ICMP for OS Fingerprinting
OS fingerprinting is the process of determining the operating system of a target.
Knowing this information is key when someone is planning an OS-specific attack. There are two types of OS fingerprinting techniques – passive and active. Passive fingerprinting tools do not send any traffic on the wire – they only listen and make decisions on the OS types based on what they hear.
Active OS fingerprinting tools, however, send a series of communications to the target. One of the key elements of active OS fingerprinting tools is ICMP. These active OS fingerprinting tools send a series of normal, malformed and unusual ICMP queries to a target and listen to the responses.
Figure 1: Notice the ICMP packet with an invalid code, the ICMP Get address, ICMP Get timestamp, and ICMP Get information packets used in a LANGuard OS fingerprinting operation.
Note: This trace is available online at http://www.packet-level.com/traceFiles.htm
The basic functionality of ICMP is documented in RFC (Request for Comment) 792 that can be found online at www.ietf.org. Reading this document can give you a basic overview of the different types of ICMP operations.
Given the popularity of ICMP amongst the hacking community, I highly recommend that you get familiar with this useful (but often harmful) protocol.
Got other ideas for articles/documentation or training? Send email directly to Laura at lchappell@packet-level.com.
Laura Chappell
Sr. Protocol Analyst
Copyright 2000 Protocol Analysis Institute, L.L.C.
Laura Chappell is the Sr. Protocol Analyst for the Protocol Analysis
Institute. Laura focuses on researching, writing and lecturing on
network analysis and security. In 2003, over 60 of Laura’s courses
become available via internet/CD and a series of “White Hat Toolbox:
Security Tools, Tricks and Traces” are releasing at
http://www.packet-level.com. Laura can be reached at
lchappell@packet-level.com.
