Xem mẫu

  1. Internet Control Message Protocol (ICMP) TCP and UDP exist primarily to deliver upper-layer data across a network. Whether connection oriented or connectionless, fundamentally the process of delivering the data is the same: identify the source and destination application ports, format the data accordingly, and deliver the data to IP. This process works well when the network is functioning without error and when systems are operating correctly and know how to deliver data through routers and subnets to any destination, anywhere. The problem is that the network does not always work, routes fail, and data may not be able to be delivered (or it may need to be directed elsewhere to be successfully delivered). To facilitate this process, the ICMP protocol was developed. In many ways, ICMP functions like the traffic cop and policeman of the network. Because IP (and UDP) lack any mechanism for identifying that failures may occur on the network, they need an external protocol that can provide information about routing failures and to report about delivery errors, congestion delays, and other conditions on the network. Indeed, like the traffic cop notifying motorists about congestion delays or blocked intersections (routers) on the street, ICMP provides a means to control the flow of traffic in an effort to ensure that the data can be reliably delivered. An important distinction to understand about ICMP is that it is an error-reporting mechanism, not an error-correcting mechanism. That means that although ICMP can notify hosts of error conditions, ICMP natively has no means or method of actually doing anything about the error condition. Instead, ICMP relies on other protocols such as routing protocols or reliable protocols such as TCP to account for and address the particular error condition. The most well-known use of ICMP is through the use of the ping application. Ping is a network troubleshooting application that makes use of ICMP echo request and echo reply (detailed in the next section) messages to determine whether a host is responding to network traffic. This allows the user to determine the reachability and status of the target host in a pretty simple manner. If a target host responds, it is reachable and available. If it does not, depending on the echo reply message, either the target host, target network, or network somewhere between the source and destination is unreachable and unavailable. We talk more about ping in Chapter 13, "Troubleshooting Firewalls," and Appendix A, "Firewall and Security Tools". Note RFC 0792 and RFC 0950 define ICMP.
  2. ICMP Message Structure ICMP controls the data being transmitted over the network through the use of numerous message types. Each ICMP message type contains specific formatting related to its function, but most implement a header and data field of varying lengths. All ICMP messages begin with the same 32 bits of data. First, 8 bits of data known as the TYPE field define the ICMP type. Next, 8 bits of data known as the CODE field provide additional information specific to the message type. Then, 16 bits of data known as the CHECKSUM ensure that the data that is delivered is the same amount of data that was transmitted. Some of the more common message types are as follows: • Echo reply (Type 0) In concert with echo request (type 8), echo reply makes up one half of the messages that are used by the ping utility for testing destination reachability and status. As the name implies, this message is the reply to an echo request message. • Destination unreachable (Type 3) Destination unreachable messages are sent by intermediate routers to inform a host that it cannot forward or deliver the data. There are 13 codes associated with destination unreachable messages, each representing a specific failure condition. Common codes include the following: - Network unreachable (Code 0) This typically indicates a failure of a router. - Host unreachable (Code 1) This typically indicates that the destination network was reachable, but the host was unable to be contacted, and thus indicates a failure with the destination host itself. - Protocol unreachable (Code 2) This typically indicates that the network protocol (for example, TCP or UDP) cannot be reached. - Port unreachable (Code 3) Similar to protocol unreachable, this typically indicates that the given port (for example, the TCP or UDP port of the application in question) cannot be reached. • Source quench (Type 4) Source quench messages are used to rate limit traffic during periods of congestion. Routers typically reserve an amount of memory to store data in temporarily before it is delivered. If for some reason the router cannot efficiently deliver the data, it could run out of memory to store new data. Rather than drop the data packets (at which point if using a connection-oriented protocol such as TCP the data will need to be retransmitted), it will attempt to issue a
  3. source quench message. This message tells the source router to slow down the rate at which it is delivering the data in hope that whatever condition is causing the router to buffer data is fixed, at which point the normal flow of data can be reinstated and no data is lost or needs to be retransmitted. • Redirect (Type 5) Redirect messages are used to notify hosts to update their routing table to reflect a change in the routing environment. These are typically issued by routers that recognize that a host is using a nonoptimum routing configuration. A common instance of this is when a host's default gateway is on the same network as another gateway that it must use (such as a firewall). In that case, the router issues a redirect to inform the host to send the data to the other gateway directly, because that would be more efficient than going through the default gateway than the other gateway. • Echo request (Type 8) Echo request messages make up the other half of the messages used by the ping utility. As the name implies, an echo request message requests that the target host respond with an echo reply message. • Time exceeded (Type 11) Time exceeded messages are used to indicate that a circular or excessively long route has been detected and are a means of notifying the source host that the data was unable to be routed to the given destination. Note For a list of all ICMP message types, refer to http://www.iana.org/assignments/icmp- parameters. Bad ICMP ICMP is one of the most abused protocols out there by the nature of what it exists to do. After all, if you want to attack a network or host, what better method to do so than to use the protocol that is designed to control network traffic in general? Consequently, a common example of "bad" ICMP is to allow any ICMP traffic from untrusted sources onto your trusted networks. For example, if you allow ICMP redirects, you leave your Internet hosts susceptible to having their traffic inadvertently routed to the wrong location. This could result in a DoS in the best case (because the traffic never makes it to the hosts that are requesting data) or could result in a data compromise (in the event that the data can be redirected to a host that the attacker controls). To address this, it is generally a good idea to block ICMP traffic, in particular between trusted and untrusted networks. The downside of this, of course, is that by blocking ICMP you also lose any of the benefits of ICMP, such as the ability to use ping to test the reachability of remote hosts. To mitigate this most firewalls allow you to define certain types of ICMP messages to permit or deny, thus allowing you to allow some ICMP traffic (such as time exceeded,
  4. destination unreachable, and echo replies) while blocking other ICMP traffic (such as redirects). ICMP messages themselves are also susceptible to manipulation (as occurs frequently with the insertion of bogus or extremely large amounts of data in an ICMP message in hopes that the target host cannot properly process the message, which may leave it in a vulnerable state). Perhaps the most well known of this kind of manipulation is known as the "ping of death," which transmitted a message that exceeded the 65,535-byte limit of the IP protocol, which would cause many target hosts to crash, resulting in a DoS.