Everyone is familiar with the Internet Protocol (IP), which is responsible for routing and addressing traffic. However, many are not as familiar with the Internet Control Message Protocol (ICMP), a powerful protocol that plays a major role in delivering data. In this chapter, we'll learn about ICMP, the companion protocol to IP, which works in the network layer of the OSI model. We'll begin with an overview so that you have a general understanding of the main functions of ICMP.
We will then evaluate both ICMP (used with IPv4) and ICMPv6 (used with IPv6) so that you can compare some of the main differences. In addition, you'll get a better understanding of the two types of messages: error reporting and queries. We'll then look at common type and code values, along with a discussion on which types of ICMP messages are no longer used. We'll finish with a discussion on how malicious actors can use ICMP to launch an attack. Then, we'll outline some basic firewall guidelines in terms of what types of ICMP messages to allow on your network.
This chapter will address all of this by covering the following:
Early in the 1980s, scientists developed protocols that drove internet traffic. In addition, they identified potential issues that might prevent traffic from reaching its destination, especially when using IP. This is mainly because IP doesn't guarantee delivery and has no way of communicating network problems with end devices. ICMP overcomes the deficiencies of IP by sending query messages and generating error reports on possible issues that may require attention.
As shown in the following table, the network layer is responsible for addressing and routing:
The network layer has three main protocols, which are essential in delivering data. In addition to ICMP, the other protocols are as follows:
As we learned in Chapter 11, Analyzing IPv4 and IPv6, the network layer is responsible for addressing and routing traffic. Because IP is a best-effort, unreliable protocol, ICMP is essential for data delivery and must be implemented by every IP module.
As there are two IP versions, there are also two versions of ICMP. These have roles that are specific to their respective IP version:
Because of its role in assisting IP in delivering data, the use of ICMP is made clear in the Request for Comments (RFC) for both versions of ICMP as follows:
To communicate either queries or errors, an ICMP message must provide information within the header. In the next section, we'll see how an ICMP packet follows the IP header, along with the three fields that are present in both versions.
When communicating information, both ICMP and ICMPv6 packets will follow an IP packet, as shown in the following diagram:
All ICMP messages have a common structure that begins with the type, code, and checksum, as shown along the top of the following diagram:
The three fields consistent in an ICMP header are described as follows:
Following the type, code, and checksum field values, you'll find the data payload. The contents will depend on the ICMP type and code, which can be either an ICMP error report or query message.
The entire payload is encapsulated in a frame, as shown in the following diagram:
Here we see the various headers, which include the frame header, IP header, ICMP message, data, and Frame Check Sequence (FCS).
Note
ICMP does not have a transport layer header, as it does not exchange or transport data. Its primary role is to test for reachability and report transmission errors.
To examine several examples of ICMP in detail, we will use the bigFlows.pcap packet capture found at http://tcpreplay.appneta.com/wiki/captures.html#bigflows-pcap. Download the file and open it in Wireshark. Once open, apply the icmp filter. Select any of the ICMP packets and you will see the Type, Code, and Checksum fields. As shown here, we see the specifics of Frame 202:
In the frame details, we see the following:
As shown in Figure 12.5, the details for this type of ICMP message include fields for identifiers and sequence numbers that help to match corresponding echoes and replies. This information is used by the host to reconstruct the process that sent the original datagram.
After the Type, Code, and Checksum fields, there is a data portion within the ICMP message. The following section explains what you might find in the data payload.
In an ICMP datagram, the payload is dependent on the type of message. In a standard ICMP request/reply, the data payload is meaningless and will have either ASCII characters or NULL values, depending on the Operating System (OS).
In this section, we'll explore the different payloads you might encounter in an ICMP packet. In addition to data, an ICMP payload can include a watermark, or even evidence of concealed data, such as what you might see in a Loki attack.
Let's start with reviewing what you might see in an ICMP echo request.
To see an example of an echo request, open bigFlows.pcap, and then go to Frame 38, which shows a Type 8, Code 0 message. Expand the ICMP header, as shown in the following screenshot:
For example, in the echo reply shown in Frame 38 the data portion is a string of characters as follows:
00000000138a1a34abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdab cdabcdabcd
In addition, you should see a similar payload in a standard ICMP reply, which you can see in Frame 74.
While in an echo request/reply you will see a string of characters, an error message has a different format for the payload. Let's take a look.
Whenever ICMP encounters an error, ICMP must return the IP header, plus at least the first 8 bytes (or 64 bits) of the original datagram, to the sender.
Note
The whole length of an ICMP error message cannot exceed 576 bytes.
To see an example, open bigFlows.pcap and use the icmp.type == 3 filter, which will display all ICMP packets with a Type 3: Destination unreachable error message.
Select Frame 4794 and expand the ICMP header where you will see the ICMP Type: 3 (Destination unreachable) Code: 3 (Port unreachable) fields, as shown here in the first section:
Because this is an error, ICMP has returned the IP header and the original datagram. As you can see, there are several parts to the ICMP packet, as follows:
In most cases, the only ICMP payload you might encounter is an echo request/reply along with error messages. However, there are other instances in which you might see a payload. Let's explore when this might happen.
ICMP was designed to issue queries and communicate errors on a network. However, over time, ICMP has been used for other purposes, as the data portion in an ICMP request can be modified. One way is by using a non-malicious watermark to identify a company while monitoring the network. Another way is the malicious intent to exfiltrate data by using an ICMP tunnel.
Let's start by seeing how a watermark is used.
Paessler, a network monitoring company (https://www.paessler.com/ping-monitoring), uses ping monitoring to assess the health of the devices on the network. When gathering packets while in Wireshark, you'll see that Paessler's packets have a watermark, as shown in the following screenshot:
In the Packet Bytes panel, you can see in the lower right-hand side an area that is highlighted. The data is as follows: P•I•N•G• •b•y• •P•R•T•G• •N•.
In this case, the watermark is not malicious. However, an ICMP packet can be modified to send data covertly, as we'll see next.
Malicious actors have found numerous ways to conceal their activity. One way to send commands through a network is by using a Loki tool to execute a covert channel attack, which works in the following manner:
Instead of the watermark as described in the previous section, this type of activity poses a security risk. As a result, the network administrator should tune devices to enable the inspection of ICMP data. If found, the device should send an alert if the payload contains an unrecognized data pattern, as this may be an indication of a covert ICMP tunnel.
We can now see that ICMP is an essential network layer protocol that is used alongside both IPv4 and IPv6 to provide error reporting and informational messages. Next, let's compare the two versions, ICMP and ICMPv6.
Although IPv4 and IPv6 are both responsible for routing and addressing data, the two protocols have a number of differences. As a result, there are two versions of ICMP.
In the next section, we'll explore ICMP alongside ICMPv6 so that you understand some of the basic roles and functions in reporting network issues.
Let's start with ICMP, which is used with IPv4.
ICMP is used alongside IPv4 to communicate network issues that prevent data from being delivered. ICMP error and query messages can alert end systems when there are issues with connectivity and can also obtain diagnostic information from intermediary systems, such as the round-trip time.
As powerful as ICMP is, it cannot make IP a reliable protocol; it only assists in data delivery by providing error messages and information. There are times when the causes of delays in data transmission are outside of the messages that ICMP can send and report. In that case, it's up to the Transmission Control Protocol (TCP), or other higher-layer protocol, to notify the host of transmission errors during delivery.
Next, let's take a look at ICMPv6, which has many of the same functions but also provides additional roles to support IPv6.
While IPv4 and IPv6 are similar in terms of their overall functions, IPv6 has many additional benefits, which include the following:
As a result, ICMPv6 was developed for IPv6 and is used to communicate updates or error messages. An ICMPv6 message contains the Type, Code, and Checksum details, followed by the contents, which will depend on the type and the code. However, ICMPv6 has options related to IPv6 traffic.
One example is an ICMPv6 router solicitation message, which alerts other routers on the network of their presence. To see an example of ICMPv6 messages communicating to other devices on the network, go to CloudShark: https://www.cloudshark.org/captures/0f90f2c2de86?filter=frame%20and%20eth%20and%20ipv6%20and%20icmpv6.
Download and open test55.pcap in Wireshark. In the display filter, enter icmpv6 and press Enter to run the filter. In the following screenshot, Frame 63 has an ICMPv6 router solicitation message:
Note
The IPv6 ff02::2 destination address is a multicast address, which are delivered to all nodes on a network using a single address.
Both ICMP and ICMPv6 can provide insight into network activity. The next section explores the two main functions of ICMP: reporting errors and queries.
ICMP messages are grouped into two categories: error reporting and queries. Some messages are specific to each version; however, a few are common to both versions, as shown here:
For both categories, each ICMP packet has type, code, and checksum fields. The payload for queries is different from error messages, as each has a different purpose, as we'll see in the following sections.
Let's start with a review of how ICMP reports errors.
ICMP error messages report on network issues that prevent data from being delivered. Commonly sent error messages are grouped into categories that have a specific purpose, and include the following:
Next, let's take a look at examples of some of the errors that you might see in your network.
We have already seen an example of a Destination Unreachable message in the Investigating the data payload section. Another error is Time Exceeded. To see an example of this error, open bigFlows.pcap, and then go to Frame 7217, which shows a Type 11, Code 0 message. Expand the ICMP header, as shown in the following screenshot:
In this case, once the packet hits the router, the TTL will have reached zero, and that will trigger the ICMP error.
Another example is a Parameter Problem error message. We can find this by going to CloudShark: https://www.cloudshark.org/captures/bed61f75bde3. Download and open alive6-1.pcap in Wireshark. Go to Frame 3 and expand the ICMPv6 header, as shown:
In this case, the error message is Type: Parameter Problem (4) Code: 2 (unrecognized IPv6 option encountered).
As discussed, ICMPv6 has many of the same functions as ICMP but also provides additional reporting to support IPv6. One of the ICMPv6-specific messages is Packet Too Big. Let's take a look.
In addition to the three error messages reported in IPv4, ICMPv6 includes another error, Packet Too Big, as shown in this diagram listing some of the ICMPv6 error messages:
As we learned in Chapter 11, Analyzing IPv4 and IPv6, the payload length is a field value in IPv6. The packet size is monitored as the data travels through the network. If the packet is too large, ICMPv6 will report the Packet Too Big error. This error is sent when a device cannot send the data, as the packet is larger than the Maximum Transmission Unit (MTU) of the outgoing link.
To see an example of an ICMPv6 Packet Too Big message, go to CloudShark: https://www.cloudshark.org/captures/7dd0b50eb768. Download and open packet too big.pcap in Wireshark. Once open, go to Frame 3 and expand the ICMPv6 header, as shown here:
Because of the complexity of the network, sometimes it's hard to avoid this error. Let's see what options we have when the payload is too big for the MTU.
When sending data, most OSs employ Path MTU Discovery (PMTUD), a process used to determine what size packet is allowed to travel on the network segment. If the packet is too big, the router will send an ICMPv6 Packet Too Big message back to the host. In that case, one of two things must be done:
Fragmenting the packet will solve the problem of the packet being too big, as it can then be sent out onto the network. As we know, an IPv6 header does not have a fragmentation field and seeks not to fragment packets; however, it can be fragmented by using an extension header. You can see an example of the Fragment Header for IPv6 fragment extension header in the last line of Figure 12.14.
Note
Many devices on the network will block a fragmented packet, and for good reason. Fragmentation puts additional strain on a device and can pose a security risk.
ICMP error messages provide additional information so that the host can see exactly what happened. Errors are received and acted upon by TCP, IP, or user applications. However, in some cases, ICMP messages are ignored.
In addition to sending error messages, ICMP can also request and provide information, as discussed in the following section.
An ICMP query has two messages (a request and a reply) that work together and have a specific purpose: to provide status updates and information.
Two examples of requests and replies are as follows:
On a network that is primarily using IPv4, most ICMP messages provide enough information. However, to assist IPv6 in delivering data, ICMPv6 needs to provide information specific to IPv6, as we'll see next.
Although in many ways, ICMP and ICMPv6 are similar, ICMPv6 has more responsibilities. The reason for this is that IPv6 no longer uses ARP broadcasts or Internet Group Message Protocol (IGMP). As a result, ICMPv6 provides additional services to communicate issues on the network, as shown in the following diagram:
Some of the messages unique to ICMPv6 are as follows:
To see an example of the many ICMPv6 messages communicating to other devices on the network, open test55.pcap in Wireshark. In the display filter, enter icmpv6 and press Enter to run the filter.
Create a flow graph by completing the following steps:
The results are as shown in the following screenshot:
Within the flow graph, you can see Multicast Listener Report and Router Solicitation ICMPv6 packets.
Some of the ICMPv6 reports have additional details. For example, in a separate capture file we can see the details provided in a single report as shown here:
Another example of how ICMPv6 communicates on the network is the use of neighbor solicitation. Here is a host that has lost the connection to the gateway. To establish a connection, the host in Frame 99 sends out multicast Neighbor Solicitation messages on the network, as shown in the following screenshot:
The reason you see multiple ICMPv6 packets is that the host is unable to reach the gateway. The Neighbor Solicitation messages will continue until the connection is restored.
As you can see, ICMPv6 is a powerful protocol. In addition to error and information messages, ICMPv6 provides additional information and works with IPv6 to maintain connectivity.
As discussed, ICMP headers hold a value for type and code. Let's take a look at these two fields in order to help us understand what ICMP is trying to tell us.
The original objective of ICMP was to provide updates on network status and other informational messages. In this section, we'll review the type and code values for ICMP and ICMPv6. Let's start with ICMP.
ICMP has been used for IPv4 for many years. There are many different types of ICMP messages, some of which should look familiar, such as these:
Some, but not all, ICMP types have a corresponding set of code values that further define the ICMP message. For example, Type 3 and Type 9 both have a set of code values.
Type 3 (destination unreachable) has many code values and includes the following:
Type 9 (router advertisement) only has two code values:
The type and code are the first two fields in an ICMP message and are used to convey information. For example, in Frame 543, ICMP has returned an ICMP Type: 3 and Code: 13, as shown in the following screenshot:
When ICMP returns Type: 3 Destination Unreachable Code: 13 (Communication Administratively Prohibited), this means a firewall is blocking the request.
As we have learned, ICMP headers hold a value for type and code to convey information on what is happening on the network. However, some of the ICMP types are no longer used and are deprecated. Let's explore this.
While ICMP lists multiple type values, many are no longer in use because over time they have been found to be ineffective. The outdated and ineffective types are considered deprecated. The following are some of the deprecated ICMP types:
Using deprecated ICMP type values is discouraged. To read more on best practices when dealing with ICMP type and code values, visit RFC 7279, found at https://datatracker.ietf.org/doc/html/rfc7279/.
Along with ICMP for IPv4, ICMPv6 is used to communicate updates or error messages and has its own set of type and code values. In the next section, we'll review some of the values for ICMPv6.
Because ICMPv6 provides additional data on IPv6 router and host configuration, you'll find specific type values that help provide this information.
A short list of ICMPv6 type values includes the following:
In some cases, the type will have a corresponding code value to further define the message, similar to IPv4. If the type does not have a corresponding code value, the field value will be set to 0, as shown in Figure 12.17.
The following are examples of the various type and corresponding code values for ICMPv6.
Type 1 (destination unreachable) has several code values. Some of them are as follows:
Type 3 (time exceeded) has two codes, as follows:
As we have learned, ICMP can provide a great deal of information on a network, therefore, it's important to understand that this protocol can be used in malicious ways. As a result, the firewall rules should be tuned to prevent malicious activity, as outlined in the next section.
ICMP supports IP to help ensure data delivery; however, it can also be used in malicious ways. For example, ICMP can be used to conduct reconnaissance as a precursor to an attack, or even to help evade firewall rules. In this section, we'll provide an example of how ICMP can be used to obtain information on the network or to redirect traffic. Then, we'll evaluate some of the firewall rules used to limit the effectiveness of an attack.
Let's start with a brief discussion on a few attacks using ICMP.
ICMP can determine a great deal of information about a network. As a result, it can be used as an effective scanning tool. In addition, if security devices aren't tuned to disallow certain types of ICMP packets, you may be the victim of an attack, such as a Distributed Denial of Service (DDoS) or redirect attack.
First, let's start with an overview of a ping sweep, a technique used to see which network hosts might be awake and responding.
Malicious actors use various techniques to scan a network for vulnerable hosts prior to an attack. One way is by using ICMP ping packets to determine which hosts are alive and responding. A ping sweep (or ping scan) uses a series of ICMP echo request packets on a local area network to see what hosts are alive and responding. As shown in the following diagram, the attacker sends a series of ping packets on the network. Once sent, the attacker then waits to hear a response from a host, in the form of an echo/reply, indicating it is alive:
Once a responding host is identified, the attacker will send more advanced probes to obtain additional information about the host.
Along with using a series of echo requests/replies, there are several ICMP queries that malicious actors can use to scout information before launching an attack. To see an example of using ICMP packets to probe a network, go to CloudShark: https://www.cloudshark.org/captures/51eabf15169e.
Download and open sniffer_cybercop_scan_1-4223.cap in Wireshark. In the display filter, enter ((ip.src == 192.168.10.33) && (icmp)) && !(ip.src == 192.168.10.138) and press Enter to run the filter, which will then display 12 packets. Create a flow graph by completing the following steps:
The results are as shown in the following screenshot:
In this flow graph, we see how the malicious actor at 192.168.10.33 sends various ICMP messages to the 192.168.10.138 host. In addition to ICMP request packets, the malicious actor also uses timestamp and address mask requests. This type of probe sends various ICMP packets with the hope of getting a reply to help the scanning software rule out different OSs along with other information on the host.
Next, we'll take a look at another type of attack that uses an ICMP redirect message to redirect traffic.
While ICMP is designed to help data move on the network, malicious actors have found ways to use certain types of messages to launch an attack.
ICMP and ICMPv6 both have redirect messages:
When used to launch an attack, the malicious actor crafts specially designed redirect messages that can be used to modify the routing tables. The message contains information indicating there is a more optimal route to send traffic. Once the attack is set, the malicious actor poses as a router and sends the specially crafted ICMP message out on the network.
To see an example of using an ICMP redirect packet, go to https://github.com/bro/bro/blob/master/testing/btest/Traces/icmp/icmp6-redirect.pcap. In the middle of the page, select View Raw, and then open icmp6-redirect.pcap in Wireshark. There is only one packet. Expand both the IP and ICMP headers, as shown in this screenshot:
Once the host receives the redirect message, the traffic will be redirected to the malicious actor. The malicious actor can then intercept traffic to obtain sensitive information, redirect traffic to another server, or prepare for a more advanced attack.
The last attack we'll cover is an IP/ICMP fragmentation DDoS.
One of the ways to disrupt a business is by launching a DDoS. When launched on an internal network, one type of attack is a volumetric DDoS. A volumetric DDoS seeks to flood a device or network with so much traffic that it consumes all the resources, and legitimate traffic is locked out.
One example is a fragmented IP/ICMP volumetric DDoS attack. To look at an example of what you might see during this type of attack, go to https://www.cloudshark.org/captures/962444a14a56. Download and open fragmented-icmp-traffic.pcapng in Wireshark. Once open you will see the following:
Within this capture, you will see the following:
This means the host at 192.168.12.2 must continually reassemble the fragmented packets, which will require additional resources.
If you expand the IP header in Frame 1, you will see the following:
As illustrated by (1), the protocol that follows the IP header is Protocol: ICMP (1). We also see by (2) that the packet is [Reassembled IPv4 in frame: 2].
The fragmented-icmp-traffic.pcapng capture only has 20 packets; however, if the attack were to continue, this could result in the device being unable to respond to legitimate hosts.
As evidenced, ICMP can be used to obtain information on hosts and act in a malicious manner. As a result, it's best to be aware of the various types and only allow ICMP packets that are absolutely necessary, as we'll see in the next section.
Because ICMP can affect the operation of important system functions and obtain configuration information, hackers use ICMP messages while conducting reconnaissance on a network or during an active attack. As a result, best practices can include the following:
While ICMP can be used maliciously, we must remember that diagnostic utilities, such as Ping and Tracert, require ICMP. As a result, a network administrator must decide what types of ICMP packets should be allowed on a network. When setting up your firewall, keep in mind the only essential ICMP traffic is Destination Unreachable (Type 3 for ICMP and Type 1 for ICMPv6), along with the corresponding codes.
All other ICMP types are optional, depending on whether you would like to allow them on your network. Depending on your organization, other types that are allowed can include the following:
ICMP helps to ensure that data gets delivered; however, it can be used in malicious ways, therefore, you need to make sure that firewalls are properly tuned.
By now, you can see the many aspects of ICMP, which is a significant protocol in the TCP/IP suite. We looked at the purpose of ICMP, a method to communicate issues that prevent data delivery. We compared ICMP and ICMPv6, which have similar functions, but we now understand that ICMPv6 has a bigger role. So that you can use this protocol while troubleshooting, we discovered ICMP messages that communicate with hosts to report on transmission errors. In addition, we saw how query messages can be used to attempt to obtain information from a host.
To better understand the ICMP type and code values, we examined how they work when communicating information. In addition, we learned that there are some ICMP types that you will rarely see as they are now deprecated and/or not supported. By now, you should recognize that ICMP is a powerful protocol that helps to move traffic on a network, but can also be used in malicious ways. As a result, you should configure firewall rules that allow or deny specific ICMP types in order to reduce the threat of malicious ICMP traffic on the LAN.
In the next chapter, we'll take a closer look at examining Domain Name System (DNS) traffic with Wireshark. Using practical examples, you'll be able to understand how DNS works when resolving a hostname to an IP address. You'll discover what the field values are in a DNS header, along with stepping through a DNS request/response transaction. In addition, because DNS problems are common on many networks, we'll review tools that can help you calculate DNS response time using Wireshark, along with methods to secure DNS.
Now, it's time to check your knowledge. Select the best response, and then check your answers with those in the Assessments appendix:
Please refer to the following links for more information: