Download ICMP (Internet Control Message Protocol)

Document related concepts
no text concepts found
Transcript
ICMP
(Internet Control Message Protocol)
w.lilakiatsakun
Overview (1)
 RFC 792
 It is used by network devices, like routers, to send error
messages indicating, for example, that a requested
service is not available or that a host or router could not
be reached.
 ICMP errors are directed to the source IP address of the
originating packet
 For example, when TTL is 0, the packet is discarded and an
ICMP Time To Live exceeded in transit message is sent to the
datagram's source address.
Overview (2)
 Many commonly used network utilities are based on
ICMP messages.
 The traceroute command can be implemented by
transmitting IP datagrams with specially set IP TTL
header fields, and looking for ICMP Time to live
exceeded in transit (above) and "Destination
unreachable" messages generated in response.
 The related ping utility is implemented using the ICMP
"Echo request" and "Echo reply" messages.
ICMP Format
ICMP Header (1)
 Type ICMP type, see Control messages.
 Code ICMP subtype, see Control messages.
 Checksum
 Error checking data, calculated from the ICMP header and
data, with value 0 substituted for this field.
 The Internet Checksum is used, specified in RFC 1071.
 ICMP data
 ICMP data is vary based on the ICMP type and code.
ICMP Header (2)
 ICMP error messages contain a data section that
includes the entire IPv4 header, plus the first eight bytes
of data from the IPv4 packet that caused the error
message. The ICMP packet is then encapsulated in a
new IPv4 packet.
 The variable size of the ICMP packet data section has
been exploited. In the well-known "Ping of death," large
or fragmented ping packets are used for denial-ofservice attacks
ICMP Type (1)
ICMP Type (2)
ICMP Type (3)
ECHO /ECHO Reply (1)
 Echo and Echo Reply messages are normally used to
verify the existence of an end system or intermediate
system.
 The ICMP implementation in the receiver has to respond
to this Echo request by sending an Echo Replymessage.
 Echo and Echo Reply messages differ only in
the Type field:
 0x08 specifies an Echomessage and 0x00 specifies an Echo
Reply message. The Code value has to be set to 0x00 for
both types.
ECHO /ECHO Reply (2)
 RFC 792 does not define explicit values for the other
fields (i.e., Identifier, Sequence Number, and Data);
therefore, the application can set these fields
arbitrarily.
 The only thing the ICMP implementation has to
ensure is that these three fields are copied from
an Echo message to theEcho Reply message.
 The Data field can have an arbitrary length.
 For example, an ICMP application could use session
numbers for the Identifier field and increment the
sequence number for each Echo message it sends.
Destination Unreachable (1)
 Code = 0x00 (Network Unreachable): T
 The network of an IP packet's receiver is not
reachable.
 This can happen, for example, if the distance to the
receiver's network is set to infinite in the routing
table of a router.
 Code = 0x01 (Host Unreachable):
 The desired destination computer in the specified
network cannot be reached.
Destination Unreachable (2)
 Code = 0x02 (Protocol Unreachable):
 This message can be generated if another protocol listens to
the destination port specified in the TCP/UDP packet header.
 The message can be sent both by a router and by an end
system.
 Code = 0x03 (Port Unreachable):
 The port address of the receiver specified in the TCP/UDP
packet header is not reachable.
 The end system is "reachable" in this case, too, so both a
router and an end system can generate this message.
Destination Unreachable (3)
 Code = 0x04 (Fragmentation Needed):
 This ICMP packet can be sent if an IP packet has to be
fragmented in a router, but the Don't-Fragment flag is
set in the packet header, so that the packet may not be
fragmented.
 In this case, the router has to discard the IP packet.
 Code = 0x05 (Source Route Failed):
 If the IP packet option Source Routing is set and an error
occurs, then this ICMP message is returned to the
sender.
Time Exceed (1)
 Time Exceeded is generated and returned to the sender
if the lifetime of the IP packet has expired (i.e., its TTL
value is 0) and the packet was discarded. There could
occur either of the following two cases:
 Code = 0x00: A router sends this message if it discarded a
packet because its TTL had expired.
 Code = 0x01: An end system sends a message with this
code if it was unable to reassemble a fragmented IP
message correctly within a certain time, because
fragments were missing.
Time Exceed (1)
 As in the Destination Unreachable message, the
payload part in the Time Exceeded message includes
the IP header of the packet that caused the ICMP
message, plus the first 64 data bits from that packet.
 It is used by Traceroute Program
Ping (1)
 Ping operates by sending Internet Control Message
Protocol (ICMP) echo request packets to the target
host and waiting for an ICMP echo reply.
 It measures the round-trip time from transmission to
reception, reporting errors and packet loss.
 The results of the test usually include a statistical
summary of the response packets received, including
the minimum, maximum, the mean round-trip times,
and usually standard deviation of the mean.
Ping (2)
Ping (3)
 The payload of the packet is generally filled
with ASCII characters
 The payload includes a timestamp of when the
message was sent and a sequence number.
 This allows ping to compute the round trip time in
a stateless manner without needing to record
when packets were sent
Traceroute (1)
 The network diagnostic tool for displaying the route
(path) and measuring transit delays of packets across
an Internet Protocol (IP) network.
 The history of the route is recorded as the round-trip
times of the packets received from each successive
host (remote node) in the route (path); the sum of
the mean times in each hop indicates the total time
spent to establish the connection.
Traceroute (2)
 Traceroute proceeds unless all (three) sent packets
are lost more than twice, then the connection is lost
and the route cannot be evaluated.
 Ping, on the other hand, only computes the final
round-trip times from the destination point.
Traceroute (3)
Traceroute Implementation (1)
 Traceroute, by default, sends a sequence of User Datagram
Protocol (UDP) packets addressed to a destination host
 ICMP Echo Request or TCP SYN packets can also be used.
 The time-to-live (TTL) value, also known as hop limit, is used in
determining the intermediate routers being traversed
towards the destination.
 Routers decrement TTL values of packets by one when
routing and discard packets whose TTL value has reached
zero, returning the ICMP error message ICMP Time
Exceeded.
 Common default values for TTL are 128 (Windows OS) and 64
(Unix-based OS).
Traceroute Implementation (2)
 Traceroute works by sending packets with gradually
increasing TTL value, starting with TTL value of one.
 The first router receives the packet, decrements the TTL
value and drops the packet because it then has TTL value
zero.
 The router sends an ICMP Time Exceeded message back to
the source. The next set of packets are given a TTL value of
two, so the first router forwards the packets, but the
second router drops them and replies with ICMP Time
Exceeded.
Traceroute Implementation (3)
the traceroute utility uses User Datagram Protocol (UDP)
datagrams by default, with destination port numbers
ranging from 33434 to 33534.
Traceroute Implementation (4)
 The traceroute utility usually has an option to instead
use ICMP Echo Request (type 8) packets, like
the Windows tracert utility does, or to use TCP SYN
packets.
Use of ICMP
In a Non-Convention Way
 ICMP can be altered to act as conduit for evil
purposes.
 Some of the ways that ICMP can be used for purposes
other than the intended ones are:
 Reconnaissance
 Denial of Service
 Covert Channel
Reconnaissance (1)
 Reconnaissance is the first stage in the information
gathering process to discover live hosts and some
other essence information as part of most planned
attack.
Reconnaissance (2)
 By manipulating these ICMP messages, we are able to
gather substantial information in the process of
information gathering:
 Host Detection
 Network Topology
 ACL Detection
 Packet Filter Detection
 OS Fingerprinting
Host Detection and Network
Topology
 By using ICMP message, it allows one to identify hosts
that are reachable, in particular from the Internet.
 Ping to check whether host is available
 Broadcast ICMP ECHO
 Traceroute attempts to map network devices and
hosts on a route to a certain destination host.
 Intelligence use of it will allow one to map the
topology of a network.
Access Control List (ACL) Detection
(1)
 The idea is to manipulate the total length of the IP
Header Field (Header error).
 A crafted packet with total length in the IP Header Filed
claiming to be bigger than really what it is.
 When this packet reaches the host, it will try to grab the
data from the area, which is not there.
 The host will thus issue an ICMP Parameter Problem
back to the querying IP address.
Access Control List (ACL) Detection
(2)
 If there is a packet filtering device present and we probe a
targeted network with all possible combination of
protocols and services, it will allow us to determine the
access control list of the filtering device (which host is
allowed to received what type of traffic).
The crafted packet can use ICMP, TCP or UDP as the
underlying protocols.
Access Control List (ACL) Detection
(3)
 If we receive a reply from a Destination IP address we
have a host that is alive and an ACL, which allows this
type of message of ICMP to get to the host who
generated the ICMP error message (and the
Parameter Problem ICMP error message is allowed
from the destination host to the Internet)
Access Control List (ACL) Detection
(4)
 If we are not getting any reply than one of three
possibilities:
 The Filtering Device disallows datagrams with the kind
of bad field we are using.
 The Filtering Device is filtering the type of the ICMP
message we are using.
 The Filtering Device blocks ICMP Parameter Problem
error messages initiated from the protected network
destined to the Internet.
Protocol/Port Scan
 ICMP Error Messages (Protocol/Port Unreachable) are
the common ways to determine what type of
protocols/ports the host is running.
 Nmap 2.54 beta 1 has integrated the Protocol Scan.
 It sends raw IP packets without any further protocol
header (no payload) to each specified protocol on the
target machine.
 If an ICMP Protocol Unreachable error message is
received, the protocol is not in used.
OS Fingerprinting (1)
 This is possible because different OS implement
differently.
 Some do not compliant strictly to RFC, while RFC may
also optional.
 Fingerprinting of OS can be achieved via the
following:
 Using ICMP Query Messages
 Using ICMP Error Messages
Fingerprinting HPUX 10.20, Solaris
and Linux
Fingerprinting Windows Family
(95/98/ME/NT/20000)
Denial of Service (DoS)
 These are well-known DoS using ICMP as a
means.





Ping of Death
Smurf DoS
Tribe Flood Network
WinFreeze
Source Quench Attack
Ping of Death (1)
 A correctly-formed ping packet is typically 56 bytes in
size, or 84 bytes when the Internet Protocol header is
considered.
 However, any IPv4 packet (including pings) may be as
large as 65,535 bytes as defined in RFC791.
Ping of Death (2)
 The underlying Data Link Layer almost always poses
limits to the maximum frame size (See MTU).
In Ethernet, this is typically 1500 bytes.
 In such a case, a large IP packet is split across multiple
IP packets (also known as IP fragments), so that each
IP fragment will match the imposed limit.
 The receiver of the IP fragments will reassemble them
into the complete IP packet, and will continue
processing it as usual.
Ping of Death (3)
 the maximum allowable size of the data area is 65535 20 - 8 = 65507 octets.
 Note that it is possible to send an illegal echo packet
with more than 65507 octets of data due to the way
the fragmentation is performed.
 The fragmentation relies on an offset value in each
fragment to determine where the individual fragment
goes upon reassembly.
Ping of Death (4)
 Thus on the last fragment, it is possible to combine a valid
offset with a suitable fragment size such that (offset +
size) > 65535.
 Since typical machines don't process the packet until they
have all fragments and have tried to reassemble it, there is
the possibility for overflow of 16 bit internal variables,
which can lead to system crashes, reboots, kernel dumps
and the like.
 It is a problem in the reassembly process of IP fragments,
which may contain any type of protocol (TCP, UDP, IGMP,
etc.).
Smurf DoS (1)
 The Smurf attack preys on ICMP’s capability to send
traffic to the broadcast address.
 Many hosts can listen and response to a single ICMP
echo request sent to a broadcast address.
 This capability is used to execute a DoS attack.
 The two main components to the smurf denial-ofservice attack are the use of forged ICMP echo
request packets and the direction of packets to IP
broadcast addresses.
Smurf DoS (2)
Tribe Flood Network (1)
 The attacker(s) control one or more clients, each of
which can control many daemons.
 The daemons are all instructed to coordinate a
packet-based attack against one or more victim
systems by the client.
 Communication from the TFN client to daemons is
accomplished via ICMP Echo Reply packets.
Tribe Flood Network (2)
 Each "command" to the daemons is sent in the form of a
16-bit binary number in the ID field of an ICMP Echo Reply
packet (The sequence number is a constant 0x0000,
which would make it look like the response to the initial
packet sent out by the "ping" command).
 This is to prevent the kernel on the daemon system from
replying with an ICMP Echo Reply packet. The daemon then
responds (if need be) to the client(s), also using an ICMP
Echo Reply packet.
 The payload differs with TFN, as it is used for sending
command arguments and replies.
Tribe Flood Network (3)
Winfreeze (1)
 A small exploit code that can cause a Windows 9x/NT
box on the local LAN to freeze completely.
 The program initiates ICMP/Redirect-host messages
storm that appears to come from a router (by using
the router's IP).
 The Windows machine will receive redirect host
messages causing it to change its own routing table.
 This will make it get stuck, or operate very slowly until
a reboot is done
Winfreeze (2)
Source Quench Attack (1)
 An ICMP source quench message (ICMP type 4, code 0)
is designed to be issued when a router is unable to
handle the volume of packets coming in.
 It is a request for the sender to lower the volume of
incoming traffic. However, this method of flow control
is long out-of-date, with RFC 1812 saying the routers
should not issue these packets. Nevertheless, a source
quench packet was detected.
 This event may be indicative of an attacker attempting
to perform a denial of service in the form of lowered
bandwidth.
Source Quench Attack (2)
Covert Channel
 Many firewalls and networks consider ping traffic to
be benign and will allow it to pass through.
 Use of ping traffic can open up covert channels
through the networks in which it is allowed.
Loki (1)
 The concept of the Loki is simple: arbitrary information
tunneling in the data portion of ICMP Echo Request and
ICMP Echo Reply packets.
Loki exploits the covert channel that exists inside of ICMP
Echo traffic.
 ICMP Echo packets have the option to include a data
section.
 This data section is used when the record route option is
specified, or, the more common case, (usually the default) to
store timing information to determine round-trip times.
 Although the payload is often timing information, there is no
check by any device as to the content of the data.
Loki (2)
 So, as it turns out, this amount of data can also be
arbitrary in content as well.
 Most network devices do not filter the contents of
ICMP Echo traffic.
 They simply pass them, drop them, or return them.
 The trojan packets themselves are masqueraded as
common ICMP Echo traffic.
Loki (3)
 If a host is compromised and a Loki server is installed, it
can response to traffic send to it by a Loki client.
 Because the programs use ICMP Echo Reply packets for
communication, it will be very difficult (if not impossible)
to block it without breaking most Internet programs that
rely on ICMP.
 With a proper implementation, the channel can go
completely undetected for the duration of its existence.
Detection can be difficult.
Loki (4)
 With a proper implementation, the channel can go
completely undetected for the duration of its
existence. Detection can be difficult.
DoS – Tear Drop (1)
 When a teardrop attack is carried out on a machine, it
will crash or reboot.
 Teardrop attacks exploit the overlapping IP fragments
present in machines.
 IP packets are broken up into smaller fragments, with
each fragment having the original IP packet’s header,
and field that tells the TCP/IP stack what bytes it
contains.
DoS – Tear Drop (2)
 The packet is fragmented and is sent from the source to
destination.
 In the destination point, the fragments need to be put back
together again.
 What happens with teardrop though is that the IP fragments
will have overlapping fields.
 When the destination tries to reassemble them, it cannot do it,
and if it does not know to combine these packet fragments out,
it can quickly fail.
 This type of attack is more common on the Internet, and
precautions need to be taken to counteract such attacks.
DoS – Tear Drop (3)