May 24, 2012

1.4.12 ICMP

ICMP

Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet Protocol Suite. It provides maintenance and reporting functions. It is chiefly used by IP end systems and all IP intermediate systems (i.e routers) to send error messages indicating, problems with delivery of IP datagrams within an IP network. It can be used to show when a particular end system is not responding, when an IP network is not reachable, when a node is overloaded, when an error occurs in the IP header information, etc.

The Internet Protocol is not designed to be absolutely reliable. The purpose of these control messages is to provide feedback about problems in the communication environment, not to make IP reliable. The higher level protocols that use IP must implement their own reliability procedures if reliable communication is required.
ICMP is defined in RFC 792. It is assigned protocol number 1.

ICMP provides error reporting, flow control and first-hop gateway redirection.
The ping program contains a client interface to ICMP. It may be used by a user to verify an end-to-end Internet Path is operational. The ping program also collects performance statistics (i.e. the measured round trip time and the number of times the remote server fails to reply.

The traceroute (or tracert) program contains a client interface to ICMP. Like the ping program, it may be used by a user to verify an end-to-end Internet Path is operational, but also provides information on each of the Intermediate Systems (i.e. IP routers) to be found along the IP Path from the sender to the receiver.
Some Routers are configured to discard ICMP messages, while others process them but do not return ICMP Error Messages.

ICMP is one of the favorite protocols used for DoS attacks. Many businesses have disabled ICMP through the router to prevent these types of situations from occurring.

A smurf attack is one in which large volumes of ICMP echo requests (pings) are broadcast to all other machines on the network and in which the source address of the broadcast system has been spoofed to appear as though it came from the target computer. When all the machines that received the broadcast respond, they flood the target with more data than it can handle.

ICMP is used for destination and error reporting functions in TCP/IP. ICMP is routable and is used by programs such as ping and traceroute.

The “ping of death” is a large ICMP packet sent to overflow the remote host's buffer. A ping of death crashes a system by sending ICMP packets that are larger than the system can handle.

The countermeasure for ICMP attacks is to deny ICMP traffic through your network. You can disable ICMP traffic in most routers, and you should consider doing so in your network.

References:
  • http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
  • http://www.networksorcery.com/enp/protocol/icmp.htm
  • http://www.erg.abdn.ac.uk/~gorry/eg3567/inet-pages/icmp.html
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
  • http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xml

No comments:

Post a Comment