Dan Lo Department of Computer Science and Software Engineering Southern Polytechnic State University
Why ICMP? UDP and TDP are not designed to report errors Provide a simple way to report errors between hosts/routers and hosts
Layer 2 Protocol ICMP is encapsulated in IP It does not have ports. The receiving host may not response to the sender. No guarantee of delivery.
ICMP Packet 4byte header (type, code, and header check sum) followed by a message type code ICMP Check Sum Data
Messages A host may send a quench message to notify a sender to throttle down the delivery rate. A router may send ICMP to inform a sender of some problem. A router may respond unreachable ICMP message if a destination host cannot respond. ICMP sent by routers may be used for reconnaissance purpose!
Mapping Techniques Explore live hosts for attack target RingZero trojan scans TCP ports 3128, 80, and 8080 including inactive hosts > not very efficient ICMP echo request TCP Ack Scan (respond RST)
Tireless Mapper Scanner sends ICMP echo requests to each possible subnet addresses scanner.net > 192.168.117.233: icmp: echo request scanner.net > 192.168.117.13: icmp: echo request scanner.net > 192.168.117.23: icmp: echo request scanner.net > 192.168.117.216: icmp: echo request IDS will not issue an alert for individual echo request IDS can examine more generic scan activity: single source to multiple destination within a period
Efficient Mapper Send ICMP echo request to broadcast address 192.168.1.255 192.168.1.0 (BSD implementation) All live hosts in the subnet should respond. scanner.net > 192.168.1.255: icmp: echo request scanner.net > 192.168.1.0: icmp: echo request scanner.net > 192.168.2.255: icmp: echo request scanner.net > 192.168.2.0: icmp: echo request
Clever Mapper What if class C subnet is further divided into smaller networks? Send to ICMP echo request to each of their broadcast addresses scanner.net > 192.168.44.0: icmp: echo request scanner.net > 192.168.44.255: icmp: echo request scanner.net > 192.168.44.63: icmp: echo request scanner.net > 192.168.44.64: icmp: echo request scanner.net > 192.168.44.127: icmp: echo request scanner.net > 192.168.44.128: icmp: echo request scanner.net > 192.168.44.191: icmp: echo request scanner.net > 192.168.44.192: icmp: echo request The 192.168.44 subnet is divided into 4 smaller networks each of which contains 64 addresses.
Cerebral Mapper Use ICMP address mask request Reconnoiter host address range in a subnet scanner.net > router.com: icmp: address mask request (DF) router.com > scanner.net: icmp: address mask is 0xffffff00 (DF)
Normal ICMP Traffic Host Unreachable Port Unreachable Admin Prohibited Need to Frag Time Exceeded In Transit Embedded Information I ICMP Error Messages
Host Unreachable An attempt to send traffic to a target host which may be down somehow router > sending.host: icmp: host target.host unreachable
Port Unreachable A target host responds to the sending host that it is not listening on a port. In the following, the target is not listening on ntp port (UDP network time protocol port): Target.host > sending.host: icmp: target.host udp port ntp unreachable (DF)
Admin Prohibited The router has access control and responds sender admin prohibited ICM message. router > sending.host: icmp: host target.host unreachable admin prohibited
Need to Frag A DF flag set on a IP packet that needs be fragmented. router > sending.host: icmp: target.host unreachable need to frag (mtu 1500)
Time Exceeded In Transit Packet dropped because of TTL router > sending.host: icmp: time exceeded in-transit
Embedded Information in ICMP Error Messages In case of errors, ICMP will include 28 bytes of the offending IP This extra information can be used for classifying OS used in nmap. Type Code Checksum Message IP header + 8 bytes payload (28 bytes totally)
Malicious ICMP Traffic Port/host scan DoS/dDoS Covert channels
Smurf Attack 1. ICMP echo request to broadcast addresses with victim s IP address 2. Router allows in ICMP echo request to broadcast addresses 3. All live hosts respond ICMP echo reply to the victim
Tribe Flood Network TFN attack enlists the help of many distributed hosts (daemon or zombie) to flood a victim. ICMP echo reply TFN master TFN daemon hosts Daemon hosts Flood victim Victim
WinFreeze Cause susceptible Windows host to attack itself (selfmutilation) In the following the victim will apply all the changes in its routing table! router > victim.com: redirect 149.161.239.104 to host victim.com router > victim.com: redirect 48.161.239.104 to host victim.com router > victim.com: redirect 149.1.239.104 to host victim.com router > victim.com: redirect 149.161.23.104 to host victim.com router > victim.com: redirect 149.161.239.10 to host victim.com router > victim.com: redirect 149.1.239.104 to host victim.com router > victim.com: redirect 19.161.239.104 to host victim.com
Loki Use ICMP as a tunneling protocol for a covert channel Client/server architecture A compromised host running Loki server will respond Loki clients server information such as /etc/passwd
Unsolicited ICMP Echo Replies IP Spoofing TFN Loki
ICMP Messages From hosts Protocol unreachable Port unreachable IP reassembly time exceeded Parameter problem Echo reply Timestamp reply Address mask reply From routers Fragmentation needed but don t fragment bit set Admin prohibited Time exceeded in transit Host unreachable
ICMP Messages Admin prohibited: can assist in examining what type of traffic the site blocks Address mask reply: the subnet mask of the network on which the responding host resides Time exceeded in transit: used in traceroute to discover routers and network topology Protocol unreachable: can be used to inversely map a host s listening protocols Port unreachable: can be used to inversely map a live host s listening UDP ports Fragmentation needed but don t fragment bit set: can be used to deter4mine the MTU of links for use in attacks that use fragments
To Block or Not to Block Unrequited ICMP Echo Requests Blocking inbound echo request Loki and TFN used echo reply! Windows tracert not working Inbound ICMP exceeded in transit used in tracert UNIX traceroute uses UDP. Fine! Inefficiency Blocking all inbound ICMP traffic may result in a sending host to keep trying until time out if the receiver is unreachable Broken Path MTU Discovery A sending host may need to find out MTU. Blocking inbound ICMP traffic means sending packets larger than MTU with DF will be dropped silently! Bottom line : Make sure to allow host unreachable and need to frag ICMP inbound traffic to your network!