Internet Control Message Protocol - PowerPoint PPT Presentation

1 / 51
About This Presentation
Title:

Internet Control Message Protocol

Description:

... at each hop) through the Internet between your computer and a specified destination computer. ... Most PING utilities send a series of several echo requests ... – PowerPoint PPT presentation

Number of Views:69
Avg rating:3.0/5.0
Slides: 52
Provided by: unt
Category:

less

Transcript and Presenter's Notes

Title: Internet Control Message Protocol


1
Internet Control Message Protocol
  • By
  • Venkata Naga Chaturvedula
  • Thomson Erelli
  • Kiran Nukalapati

2
About the Internet Control Message Protocol
  • The Internet Control Message Protocol (ICMP)
    protocol is classic example of a client server
    application.
  • The Internet Control Message Protocol (ICMP) is
    part of the Internet protocol suite and defined
    in RFC 792
  • The ICMP server executes on all IP end system
    computers and all IP intermediate systems (i.e
    routers).

3
About the Internet Control Message Protocol
  • The protocol is used to report problems with
    delivery of IP datagrams within an IP network.
  • It can be sued to show when a particular End
    system is not responding, when an IP network is
    not reachable, when a node is overloaded, when an
    error occurs in the IP header information, etc.
  • The protocol is also frequently used by Internet
    managers to verify correct operations of End
    Systems and to check that routers are correctly
    routing packets to the specified destinations.

4
About the Internet Control Message Protocol
  • The Internet Protocol (IP) is used for host-to-
  • host datagram service in a system of
  • interconnected networks called the Catenet.
  • The network connecting devices are called
  • Gateways.
  • These gateways communicate between
  • themselves for control purposes via a Gateway
    to
  • Gateway Protocol (GGP).

5
About the Internet Control Message Protocol
  • Occasionally a gateway or destination host will
    communicate with a source host, for example, to
    report an error in datagram processing.
  • ICMP, uses the basic support of IP as if it
    were a higher level protocol, however, ICMP is
    actually an integral part of IP, and must be
    implemented by every IP module.

6
Purpose of ICMP The Internet Control Message
Protocol is a protocol for the exchange of error
messages and other vital information between
(Physical) Internet entities such as hosts and
routers.
7
ICMP in the TCP/IP protocol suite
ICMP is a network layer protocol, often it is
placed next to the IP protocol.
ICMP Header
ICMP Data Area
IP Header
IP Data Area
Frame Header
Frame Area
8
ICMP in the TCP/IP protocol suite
  • ICMP lies just above IP, as ICMP messages are
  • carried inside IP Packets.
  • ICMP messages are carried as IP payload, just as
  • TCP/UDP segments are carried as IP payload
  • When a host receives an IP packet with ICMP
  • specified as the upper layer protocol, it de-
  • multiplexes the packet to ICMP, just as it
    would
  • demultiplex a packet to TCP/UDP.

9
  • ICMP functions
  • Announce network errors such as a host or
  • entire portion of the network being
    unreachable,
  • due to some type of failure. A TCP or UDP
    packet
  • directed at a port number with no receiver
  • attached is also reported via ICMP.
  • Announce network congestion When a
  • router begins buffering too many packets, due
    to
  • an inability to transmit them as fast as they
    are
  • being received, it will generate ICMP Source
  • Quench messages. Directed at the sender, these
  • messages should cause the rate of packet
  • transmission to be slowed.

10
ICMP functions
  • Assist Troubleshooting ICMP supports an Echo
    function, which just sends a packet on a
    round--trip between two hosts. Ping, a common
    network management tool, is based on this
    feature. Ping will transmit a series of packets,
    measuring average round--trip times and computing
    loss percentages.
  • Announce Timeouts If an IP packet's TTL field
    drops to zero, the router discarding the packet
    will often generate an ICMP packet announcing
    this fact. TraceRoute is a tool which maps
    network routes by sending packets with small TTL
    values and watching the ICMP timeout
    announcements.

11
ICMP Applications
  • There are two simple and widely used applications
    which are based on ICMP
  • Ping
  • Traceroute.

12
ICMP Applications
  • PING The ping utility checks whether a host is
    alive reachable or not. This is done by sending
    an ICMP Echo Request packet to the host, and
    waiting for an ICMP Echo Reply from the host.
  • TRACE ROUTE Traceroute is a utility that
    records the route (the specific gateway computers
    at each hop) through the Internet between your
    computer and a specified destination computer. It
    also calculates and displays the amount of time
    each hop took.

13
ICMP Operation
14
ICMP datagram structure The ICMP datagram, being
an IP datagram, contains the usual IP header.
This is followed by an ICMP header which varies
slightly between the different types of ICMP
message. The general format is shown below
                                                  
                                                  
                                                  
                                 

15
ICMP Message Types
16
More about Message Types
  • The DESTINATION UNREACHABLE message is used when
    the subnet or a router cannot locate the
    destination.
  • The TIME EXCEEDED message is sent when a packet
    is dropped because its counter has reached zero.
    This event is symptom that packets are looping,
    that there is enormous congestion, or that the
    timer values are being set too low.
  • The PARAMETER PROBLEM message indicates that an
    illegal value has been detected in a header
    field. This problem indicates a bug in the
    sending hosts IP software or possibly in the
    software of a router transited.
  • The SOURCE QUENCH message was formerly used to
    throttle hosts that were sending too many
    packets. When a host received this message, it
    was expected to slow down. It is rarely used any
    more when congestion occurs.

17
More about Message Types
  • The REDIRECT MESSAGE is used when a router
    notices that a packet seems to be routed wrong.
    It is used by the router to tell the sending host
    about the probable error.
  • The ECHO and ECHO REPLY messages are used to see
    if a given destination is reachable and alive.
    Upon receiving the ECHO message, the destination
    is expected to send an ECHO REPLY message back.
  • The TIMESTAMP REQUEST and TIMESTAMP REPLY
    messages are similar, except that the arrival
    time of the message and the departure time of the
    reply are recorded in the reply. This facility is
    used to measure network performance.

18
Code The exact meaning of the value contained
within this field depends on the message Type.
For example, with an ICMP Type 3 message
("Destination unreachable"), a Code value of 0
means "Network unreachable", which implies a
router failure. A Code of 1 means "Host
unreachable". Checksum The checksum field
provides error detection for the ICMP header only
and is calculated in the same way as the IP
header checksum. Parameters The usage of this
field depends on the type of message. For
example, Type 3 messages do not use this field,
while Type 0 and 8 messages use the field to
store an identifier and sequence
number. Data Typically, the data is the IP
header and first 64 bits of the original
datagram, i.e. the one that failed and prompted
the ICMP message. Including the first 64 bits of
the original datagram allows the ICMP message to
be matched to the datagram that caused it.
19
Destination Unreachable Codes
20
Redirect Codes
Time Exceeded Codes Parameter
Problem Codes
21
Testing and Troubleshooting Sequences for ICMP
  • ICMPs most common uses are testing and
    troubleshooting.
  • Two of the most well-known utilities, PING and
    TRACEROUTE, rely on ICMP to perform connectivity
    tests and path discovery.

22
Connectivity Testing with PING
  • The PING utility is actually an ICMP Echo
    process.
  • An ICMP Echo Request packet consists of an
    Ethernet header, IP header, ICMP header, and some
    undefined data.
  • This packet is sent to the target host, which
    echoes back that data, as shown in Figure 4-1.
  • The ICMP echo request is a connectionless process
    with no guarantee of delivery.

23
Connectivity Testing with PING (Contd.)
  • Most PING utilities send a series of several echo
    requests to the target in order to obtain an
    average response time.
  • These response times are displayed in
    milliseconds.
  • These times should be considered a snapshot of
    the current round-trip time.
  • The PING utility included with Windows 2000 sends
    a series of four ICMP echo requests with a
    one-second ICMP Echo Reply Timeout value

24
PING Utility Uses ICMP Echo Requests and Replies
25
Event Flow Diagram
26
  • The echo requests consist of 32 bytes of data
    (an alphabetical pattern)
  • in a fragmentable IP packet

Ping Utility provides feedback on success and
round-trip times
The command-line parameters used with PING can
affect the appearance and functionality of ICMP
Echo packets.
27
Path Discovery with TRACEROUTE
  • The TRACEROUTE utility identifies a path from
    the sender to the target host using ICMP echo
    requests and some manipulation of the TTL value
    in the IP header.
  • Traceroute starts by sending a UDP datagram to
    the destination host with the TTL field set to 1.
    If a router finds a TTL value of 1 or 0, it drops
    the datagram and sends back an ICMP Time-Exceeded
    message to the sender.
  • Traceroute determines the address of the first
    hop by examining the source address field of the
    ICMP Time-Exceeded message.

28
Path Discovery with TRACEROUTE (Contd.)
  • To identify the next hop, traceroute sends a UDP
    packet with a TTL value of 2. The first router
    decrements the TTL field by 1 and sends the
    datagram to the next router. The second router
    sees a TTL value of 1, discards the datagram, and
    returns the Time-Exceeded message to the source.
    This process continues until the TTL is
    incremented to a value large enough for the
    datagram to reach the destination host or until
    the maximum TTL is reached.
  • To determine when a datagram reaches its
    destination, traceroute sets the UDP destination
    port in the datagram to a very large value that
    the destination host is unlikely to be using.
    When a host receives a datagram with an
    unrecognized port number, it sends an ICMP Port
    Unreachable error message to the source. The Port
    Unreachable error message indicates to traceroute
    that the destination has been reached.

29
Event Flow Diagram
30
Vulnerabilities
31
Vulnerability Note VU221164
Overview A vulnerability in some Cisco Virtual
Private Network (VPN) products could allow a
remote attacker to cause a denial of service.
Impact A denial-of-service condition can result
from degraded performance or unexpected rebooting
of the affected device Solution Cisco Systems
Inc. has released software patches and workaround
information for this vulnerability. Systems
Affected Vendor
Status Date Updated Cisco Systems
Inc. Vulnerable
May-8-2003 Credit Thanks to Cisco Systems
Product Security Incident Response Team for
reporting this vulnerability.
32
Vulnerability Note VU918920
  • Overview
  • A vulnerability exists in multiple control cards
    used by Cisco ONS devices. This vulnerability
    could allow a remote attacker to cause a
    denial-of-service condition.
  • Vulnerable
  • Cisco ONS 15327 Edge Optical Transport Platform
    releases
  • 4.6(0) and 4.6(1)
  • 4.1(0) to 4.1(3)
  • Not vulnreable
  • Cisco ONS 15600 Multiservice Switching Platform
  • Impact
  • A remote, unauthenticated attacker could cause
    control cards to reset on an affected optical
    device. Repeated exploitation of this
    vulnerability could result in a denial of
    service.
  • Solution
  • They have upgraded and released the newer
    versions.

33
Vulnerability Note VU471084
Overview The Linux 2.0 kernel contains a
vulnerability in the way it processes ICMP
errors. This could lead to portions of memory
being leaked to a malicious user.
Description The Linux 2.0 kernel (versions 2.0
through 2.0.39 inclusive) contains an error in
the calculation of the size for an ICMP citation.
A citation is created for ICMP error responses.
This miscalculation may lead to random data
stored in memory being returned in the response.
Impact Sensitive information may be leaked to
an attacker. Solution Upgrade or apply a patch
as necessary Credit Thanks to Philippe Biondi
of Cartel Security for reporting this
vulnerability.
34
Problem issues
35
Problems
  • ICMP redirect messages can be used to trick
    routers and hosts acting as routers into using
    false'' routes these false routes would aid in
    directing traffic to an attacker's system instead
    of a legitimate trusted system.
  • This could in turn lead to an attacker gaining
    access to systems that normally would not permit
    connections to the attacker's system or network.
  • Older versions of UNIX could drop all connections
    between two hosts even if only one connection was
    experiencing network problems.

36
Extensions
37
Extensions
  • In order to support IP-in-IP tunneling, extends
    the final field of selected ICMP messages to
    include a greater portion of the original
    datagram.
  • An additional object is provided through which
    octets 129 and beyond can be appended to the ICMP
    message.

38
Extensions
  • As few datagrams contain L3 or L4 header
    information beyond octet 128, it is unlikely that
    the extensions described herein will disable any
    applications that rely upon ICMP messages.

39
Security Issues
40
Security Issues with ICMP
  • You can use ICMP as part of a reconnaissance
    process to learn about active network addresses
    and active processes
  • These reconnaissance processes often precede a
    network break-in
  • When hackers decide to infiltrate a network, they
    typically start with a list of the IP hosts on
    the network (unless the target is a single known
    system)

41
Security Issues for ICMP
  • An IP host probe process is one method of
    obtaining a list of the active hosts on a network
  • The next step in the hack is a port probe
  • Once hackers know the addresses of the active
    devices on the network, they can target their
    next reconnaissance process, the port probe, to
    those devices
  • Because many systems do not reply to pings sent
    to the broadcast address, typical IP host probes
    are sent unicast to each possible address

42
Security Issues
  • ICMP messages must use an established SAID. From
    a destination host, this means an SAID must exist
    or be established on the fly even when an
    unprotected IP message is source of the ICMP
    message.
  • Certain ICMP messages can legitimately arrive
    from any gateway along the route taken by an IP
    message from source to destination host. To
    protect the ICMP message, the source host must
    have an SAID withthat gateway. Potentially, this
    means a source host must have an SAID with
    every gateway through which its IP packets may
    pass.

43
Security Issues
  • very serious attacks with ICMP and against
    routing protocols
  • Solutions exists but are not applied!
  • strict traffic filtering against IP source
    address spoofing (RFC 2267)
  • education of the network managers
  • cryptography key management protocols not
    generally adopted standard Public Key
    Infrastructure (PKI) not yet agreed upon

44
Summary
45
Summary
  • ICMP provides vital feedback about IP routing and
    delivery problems
  • Although ICMP messages fall within various
    well-documented types, and behave as a separate
    protocol at the TCP/IP Network layer, ICMP is
    really part and parcel of IP itself, and its
    support is required in any standards-compliant IP
    implementation

46
Summary
  • Two vital TCP/IP diagnostic utilities, known as
    PING and TRACEROUTE (invoked as TRACERT in the
    Windows environment), use ICMP to measure
    round-trip times between a sending and receiving
    host, and to perform path discovery for a sending
    host and all intermediate hosts or routers
    between sender and receiver
  • ICMP also supports Path MTU (PMTU) Discovery
    between a sender and a receiver, which helps to
    optimize performance of data delivery between
    pairs or hosts by avoiding fragmentation en route

47
Summary
  • Route and routing error information from ICMP
    derives from numerous types of ICMP messages
  • ICMP also supports route optimization through its
    ICMP Redirect message type, but this capability
    is normally restricted only to trusted sources of
    information because of potential security
    problems that uncontrolled acceptance of such
    messages can cause

48
Conclusion
49
Conclusion
  • Although ICMP has great positive value as a
    diagnostic and reporting tool, those same
    capabilities can be turned to nefarious purposes
    as well, which makes security issues for ICMP
    important.
  • Understanding the meaning and significance of the
    ICMP Type and Code fields are essential to
    recognizing individual ICMP messages and what
    they are trying to communicate.

50
Questions
1.Why Source Quench message is rarely used? Sol
When Congestion occurs, sending these packets
increases the congestion. 2.When are ICMP
Messages generated? Sol ICMP messages are
typically generated in response to errors in IP
Datagrams or for diagnostic or routing purposes.
3.What is the drawback of using the ping
command? Sol The ping command will send an
ECHO_REQUEST datagram to a host or network
interface. On reception, the packet is returned
with an ECHO_RESPONSE datagram. While this test
does not verify that your server is operating
correctly, it does verify that the networking
portion of it is reachable.
51
References
  • http//www.faqs.org (RFC 792)
  • http//www.ietf.org
  • http//www.iss.net
  • http//www.eventhelix.com
  • Books
  • Steven M. Bellovin. Security Problems in the
    TCP/IP Protocol Suite. Computer Communications
    Review
  • Andrew S Tanenbaum, Computer Networks.
Write a Comment
User Comments (0)
About PowerShow.com