icmp (internet control message protocol) w.lilakiatsakun

ICMP (Internet Control Message

Protocol)w.lilakiatsakun

RFC 792 It is used by network devices, like routers, to

send error messages indicating, for example, that a requested service is not available or that a host or router could not be reached.

ICMP errors are directed to the source IP address of the originating packet For example, when TTL is 0, the packet is

discarded and an ICMP Time To Live exceeded in transit message is sent to the datagram's source address.

Overview (1)

Many commonly used network utilities are based on ICMP messages.

The traceroute command can be implemented by transmitting IP datagrams with specially set IP TTL header fields, and looking for ICMP Time to live exceeded in transit (above) and "Destination unreachable" messages generated in response.

The related ping utility is implemented using the ICMP "Echo request" and "Echo reply" messages.

Overview (2)

ICMP Format

Type ICMP type, see Control messages. Code ICMP subtype, see Control messages. Checksum

Error checking data, calculated from the ICMP header and data, with value 0 substituted for this field.

The Internet Checksum is used, specified in RFC 1071. ICMP data

ICMP data is vary based on the ICMP type and code.

ICMP Header (1)

ICMP error messages contain a data section that includes the entire IPv4 header, plus the first eight bytes of data from the IPv4 packet that caused the error message. The ICMP packet is then encapsulated in a new IPv4 packet.

The variable size of the ICMP packet data section has been exploited. In the well-known "Ping of death," large or fragmented ping packets are used for denial-of-service attacks

ICMP Header (2)

ICMP Type (1)

ICMP Type (2)

ICMP Type (3)

Echo and Echo Reply messages are normally used to verify the existence of an end system or intermediate system.

The ICMP implementation in the receiver has to respond to this Echo request by sending an Echo Replymessage.

Echo and Echo Reply messages differ only in the Type field: 0x08 specifies an Echomessage and 0x00

specifies an Echo Reply message. The Code value has to be set to 0x00 for both types.

ECHO /ECHO Reply (1)

RFC 792 does not define explicit values for the other fields (i.e., Identifier, Sequence Number, and Data); therefore, the application can set these fields arbitrarily.

The only thing the ICMP implementation has to ensure is that these three fields are copied from an Echo message to theEcho Reply message.

The Data field can have an arbitrary length. For example, an ICMP application could use session

numbers for the Identifier field and increment the sequence number for each Echo message it sends.

ECHO /ECHO Reply (2)

Code = 0x00 (Network Unreachable): T The network of an IP packet's receiver is not

reachable. This can happen, for example, if the distance

to the receiver's network is set to infinite in the routing table of a router.

Code = 0x01 (Host Unreachable): The desired destination computer in the

specified network cannot be reached.

Destination Unreachable (1)

Code = 0x02 (Protocol Unreachable): This message can be generated if another protocol

listens to the destination port specified in the TCP/UDP packet header.

The message can be sent both by a router and by an end system.

Code = 0x03 (Port Unreachable): The port address of the receiver specified in the

TCP/UDP packet header is not reachable. The end system is "reachable" in this case, too, so both

a router and an end system can generate this message.


Code = 0x04 (Fragmentation Needed): This ICMP packet can be sent if an IP packet has

to be fragmented in a router, but the Don't-Fragment flag is set in the packet header, so that the packet may not be fragmented.

In this case, the router has to discard the IP packet.

Code = 0x05 (Source Route Failed): If the IP packet option Source Routing is set and

an error occurs, then this ICMP message is returned to the sender.


Time Exceeded is generated and returned to the sender if the lifetime of the IP packet has expired (i.e., its TTL value is 0) and the packet was discarded. There could occur either of the following two cases: Code = 0x00: A router sends this message if it

discarded a packet because its TTL had expired. Code = 0x01: An end system sends a message

with this code if it was unable to reassemble a fragmented IP message correctly within a certain time, because fragments were missing.

Time Exceed (1)

As in the Destination Unreachable message, the payload part in the Time Exceeded message includes the IP header of the packet that caused the ICMP message, plus the first 64 data bits from that packet.

It is used by Traceroute Program

Time Exceed (1)

Ping operates by sending Internet Control Message Protocol (ICMP) echo request packets to the target host and waiting for an ICMP echo reply.

It measures the round-trip time from transmission to reception, reporting errors and packet loss.

The results of the test usually include a statistical summary of the response packets received, including the minimum, maximum, the mean round-trip times, and usually standard deviation of the mean.

Ping (1)

Ping (2)

The payload of the packet is generally filled with ASCII characters

The payload includes a timestamp of when the message was sent and a sequence number. This allows ping to compute the round trip

time in a stateless manner without needing to record when packets were sent

Ping (3)

The network diagnostic tool for displaying the route (path) and measuring transit delays of packets across an Internet Protocol (IP) network.

The history of the route is recorded as the round-trip times of the packets received from each successive host (remote node) in the route (path); the sum of the mean times in each hop indicates the total time spent to establish the connection.

Traceroute (1)

Traceroute proceeds unless all (three) sent packets are lost more than twice, then the connection is lost and the route cannot be evaluated.

Ping, on the other hand, only computes the final round-trip times from the destination point.

Traceroute (2)

Traceroute (3)

Traceroute, by default, sends a sequence of User Datagram Protocol (UDP) packets addressed to a destination host ICMP Echo Request or TCP SYN packets can also be

used. The time-to-live (TTL) value, also known as hop limit,

is used in determining the intermediate routers being traversed towards the destination.

Routers decrement TTL values of packets by one when routing and discard packets whose TTL value has reached zero, returning the ICMP error message ICMP Time Exceeded. Common default values for TTL are 128 (Windows OS)

and 64 (Unix-based OS).

Traceroute Implementation (1)

Traceroute works by sending packets with gradually increasing TTL value, starting with TTL value of one.

The first router receives the packet, decrements the TTL value and drops the packet because it then has TTL value zero.

The router sends an ICMP Time Exceeded message back to the source. The next set of packets are given a TTL value of two, so the first router forwards the packets, but the second router drops them and replies with ICMP Time Exceeded.



the traceroute utility uses User Datagram Protocol (UDP) datagrams by default, with destination port numbers ranging from 33434 to 33534.

The traceroute utility usually has an option to instead use ICMP Echo Request (type 8) packets, like the Windows tracert utility does, or to use TCP SYN packets.


ICMP can be altered to act as conduit for evil purposes.

Some of the ways that ICMP can be used for purposes other than the intended ones are: Reconnaissance Denial of Service Covert Channel

Use of ICMP In a Non-Convention Way

Reconnaissance is the first stage in the information gathering process to discover live hosts and some other essence information as part of most planned attack.

Reconnaissance (1)

By manipulating these ICMP messages, we are able to gather substantial information in the process of information gathering:

Host Detection Network Topology ACL Detection Packet Filter Detection OS Fingerprinting

Reconnaissance (2)

By using ICMP message, it allows one to identify hosts that are reachable, in particular from the Internet.

Ping to check whether host is available Broadcast ICMP ECHO

Traceroute attempts to map network devices and hosts on a route to a certain destination host.

Intelligence use of it will allow one to map the topology of a network.

Host Detection and Network Topology

The idea is to manipulate the total length of the IP Header Field (Header error). A crafted packet with total length in the IP Header

Filed claiming to be bigger than really what it is. When this packet reaches the host, it will try to

grab the data from the area, which is not there. The host will thus issue an ICMP Parameter

Problem back to the querying IP address.

Access Control List (ACL) Detection (1)

If there is a packet filtering device present and we probe a targeted network with all possible combination of protocols and services, it will allow us to determine the access control list of the filtering device (which host is allowed to received what type of traffic).

The crafted packet can use ICMP, TCP or UDP as the underlying protocols.


If we receive a reply from a Destination IP address we have a host that is alive and an ACL, which allows this type of message of ICMP to get to the host who generated the ICMP error message (and the Parameter Problem ICMP error message is allowed from the destination host to the Internet)


If we are not getting any reply than one of three possibilities: The Filtering Device disallows datagrams with

the kind of bad field we are using. The Filtering Device is filtering the type of the

ICMP message we are using. The Filtering Device blocks ICMP Parameter

Problem error messages initiated from the protected network destined to the Internet.


ICMP Error Messages (Protocol/Port Unreachable) are the common ways to determine what type of protocols/ports the host is running.

Nmap 2.54 beta 1 has integrated the Protocol Scan.

It sends raw IP packets without any further protocol header (no payload) to each specified protocol on the target machine.

If an ICMP Protocol Unreachable error message is received, the protocol is not in used.

Protocol/Port Scan

This is possible because different OS implement differently.

Some do not compliant strictly to RFC, while RFC may also optional.

Fingerprinting of OS can be achieved via the following: Using ICMP Query Messages Using ICMP Error Messages

OS Fingerprinting (1)

Fingerprinting HPUX 10.20, Solaris and Linux

Fingerprinting Windows Family (95/98/ME/NT/20000)

These are well-known DoS using ICMP as a means. Ping of Death Smurf DoS Tribe Flood Network WinFreeze Source Quench Attack

Denial of Service (DoS)

A correctly-formed ping packet is typically 56 bytes in size, or 84 bytes when the Internet Protocol header is considered.

However, any IPv4 packet (including pings) may be as large as 65,535 bytes as defined in RFC791.

Ping of Death (1)

The underlying Data Link Layer almost always poses limits to the maximum frame size (See MTU). In Ethernet, this is typically 1500 bytes.

In such a case, a large IP packet is split across multiple IP packets (also known as IP fragments), so that each IP fragment will match the imposed limit.

The receiver of the IP fragments will reassemble them into the complete IP packet, and will continue processing it as usual.

Ping of Death (2)

the maximum allowable size of the data area is 65535 - 20 - 8 = 65507 octets.

Note that it is possible to send an illegal echo packet with more than 65507 octets of data due to the way the fragmentation is performed.

The fragmentation relies on an offset value in each fragment to determine where the individual fragment goes upon reassembly.

Ping of Death (3)

Thus on the last fragment, it is possible to combine a valid offset with a suitable fragment size such that (offset + size) > 65535.

Since typical machines don't process the packet until they have all fragments and have tried to reassemble it, there is the possibility for overflow of 16 bit internal variables, which can lead to system crashes, reboots, kernel dumps and the like.

It is a problem in the reassembly process of IP fragments, which may contain any type of protocol (TCP, UDP, IGMP, etc.).

Ping of Death (4)

The Smurf attack preys on ICMP’s capability to send traffic to the broadcast address. Many hosts can listen and response to a single

ICMP echo request sent to a broadcast address. This capability is used to execute a DoS attack.

The two main components to the smurf denial-of-service attack are the use of forged ICMP echo request packets and the direction of packets to IP broadcast addresses.

Smurf DoS (1)

Smurf DoS (2)

The attacker(s) control one or more clients, each of which can control many daemons.

The daemons are all instructed to coordinate a packet-based attack against one or more victim systems by the client.

Communication from the TFN client to daemons is accomplished via ICMP Echo Reply packets.

Tribe Flood Network (1)

Each "command" to the daemons is sent in the form of a 16-bit binary number in the ID field of an ICMP Echo Reply packet (The sequence number is a constant 0x0000, which would make it look like the response to the initial packet sent out by the "ping" command). This is to prevent the kernel on the daemon system

from replying with an ICMP Echo Reply packet. The daemon then responds (if need be) to the client(s), also using an ICMP Echo Reply packet.

The payload differs with TFN, as it is used for sending command arguments and replies.


A small exploit code that can cause a Windows 9x/NT box on the local LAN to freeze completely.

The program initiates ICMP/Redirect-host messages storm that appears to come from a router (by using the router's IP).

The Windows machine will receive redirect host messages causing it to change its own routing table.

This will make it get stuck, or operate very slowly until a reboot is done

Winfreeze (1)

Winfreeze (2)

An ICMP source quench message (ICMP type 4, code 0) is designed to be issued when a router is unable to handle the volume of packets coming in.

It is a request for the sender to lower the volume of incoming traffic. However, this method of flow control is long out-of-date, with RFC 1812 saying the routers should not issue these packets. Nevertheless, a source quench packet was detected.

This event may be indicative of an attacker attempting to perform a denial of service in the form of lowered bandwidth.

Source Quench Attack (1)

Source Quench Attack (2)

Many firewalls and networks consider ping traffic to be benign and will allow it to pass through.

Use of ping traffic can open up covert channels through the networks in which it is allowed.

Covert Channel

The concept of the Loki is simple: arbitrary information tunneling in the data portion of ICMP Echo Request and ICMP Echo Reply packets.

Loki exploits the covert channel that exists inside of ICMP Echo traffic.

ICMP Echo packets have the option to include a data section. This data section is used when the record route

option is specified, or, the more common case, (usually the default) to store timing information to determine round-trip times.

Although the payload is often timing information, there is no check by any device as to the content of the data.

Loki (1)

So, as it turns out, this amount of data can also be arbitrary in content as well.

Most network devices do not filter the contents of ICMP Echo traffic.

They simply pass them, drop them, or return them.

The trojan packets themselves are masqueraded as common ICMP Echo traffic.

Loki (2)

If a host is compromised and a Loki server is installed, it can response to traffic send to it by a Loki client.

Because the programs use ICMP Echo Reply packets for communication, it will be very difficult (if not impossible) to block it without breaking most Internet programs that rely on ICMP.

With a proper implementation, the channel can go completely undetected for the duration of its existence. Detection can be difficult.

Loki (3)

Loki (4)

With a proper implementation, the channel can go completely undetected for the duration of its existence. Detection can be difficult.

When a teardrop attack is carried out on a machine, it will crash or reboot.

Teardrop attacks exploit the overlapping IP fragments present in machines.

IP packets are broken up into smaller fragments, with each fragment having the original IP packet’s header, and field that tells the TCP/IP stack what bytes it contains.

DoS – Tear Drop (1)

The packet is fragmented and is sent from the source to destination. In the destination point, the fragments need to be put

back together again. What happens with teardrop though is that the IP

fragments will have overlapping fields. When the destination tries to reassemble them, it

cannot do it, and if it does not know to combine these packet fragments out, it can quickly fail.

This type of attack is more common on the Internet, and precautions need to be taken to counteract such attacks.


icmp (internet control message protocol) w.lilakiatsakun

Documents