Collaboration

Tech Tip: Prevent hacker probing: Block bad ICMP messages

By Mike Mullins

While most network administrators do a fairly good job of filtering TCP and UDP traffic, many forget to filter Internet Control Message Protocol (ICMP) traffic. ICMP traffic is necessary for troubleshooting TCP/IP and for managing its flow and proper function. However, ICMP is also dangerous. Hackers can use it to map and attack networks, so it needs to be restricted.

Like TCP and UDP, ICMP is a protocol within TCP/IP that runs over IP. Unlike TCP and UDP, ICMP is a network layer protocol—not a transport layer protocol. For more information on ICMP, see its request for comments (RFC) on the Internet Engineering Task Force's (IETF) Web site.

Bad ICMP

Some ICMP message types are necessary for network administration. Unfortunately, hackers have found a way to turn a good network tool into an attack. The most common types of ICMP attacks are:

  • ICMP packet magnification (or ICMP Smurf): An attacker sends forged ICMP echo packets to vulnerable networks' broadcast addresses. All the systems on those networks send ICMP echo replies to the victim, consuming the target system's available bandwidth and creating a denial of service to legitimate traffic.
  • Ping of death: An attacker sends an ICMP echo request packet that's larger than the maximum IP packet size. Since the received ICMP echo request packet is larger than the normal IP packet size, it's fragmented. The target can't reassemble the packets, so the OS crashes or reboots.
  • ICMP flood attack: A broadcast storm of pings overwhelms the target system so it can't respond to legitimate traffic.
  • ICMP nuke attack: Nukes send a packet of information that the target OS can't handle, which causes the system to crash.

Good ICMP

Several common tools use ICMP and are necessary for normal administration, use, and troubleshooting on your network. These tools include ping, traceroute, and path MTU discovery.

Ping
When you ping a destination network address, you're sending an ICMP packet with message type 8 (Echo) code 0 (Echo—Request) to that address. The ICMP reply packet has a message type 0 (Echo) code 0 (Echo—Reply).

Traceroute
When you run a traceroute to a target network address, you send a UDP packet with one time to live (TTL) to the target address. The first router this packet hits decreases the TTL to 0 and rejects the packet. Now the TTL for the packet is expired. The router sends back an ICMP message type 11 (Exceeded) code 0 (TTL—Exceeded) packet to your system with a source address. Your system displays the round trip time for that first hop and sends out the next UDP packet with a TTL of 2.

This process continues until you receive an ICMP message type 3 (Unreachable) code 3 (Port—Unreachable) from the destination system. Traceroute is completed when your machine receives a Port-Unreachable message.

If you receive a message with three asterisks [* * *] during the traceroute, then a router in the path doesn't return ICMP messages. Traceroute will continue to send UDP packets until the destination is reached or the maximum number of hops is exceeded.

Path MTU discovery
When you begin a TCP/IP session between two machines, TCP/IP tries to negotiate the size of packets that can be sent during the session. This is called path MTU discovery. The machine that initiates the connection will send the largest packet it can with the DF (Don't Fragment) bit set.

If any router in the path has a smaller MTU (Maximum Transmit Unit), it will drop the packet with the DF bit set. That router will send an ICMP message type 3 (Unreachable) code 4 (Fragmentation—DF—Set) back to the initiating system. On the initiating system, TCP/IP will decrease the packet size and resend the packet.

The bottom line

Without getting into vendor specifics, to keep your network healthy, disable IP-directed broadcasts to all of your routers. Letting traceroute, ping, or any of the other ICMP messages into and through your network from the Internet is an invitation for network mapping, and it could lead to an attack.

You can protect your network from attack by implementing three simple network rules:

  • Allow ping—ICMP Echo-Request outbound and Echo-Reply messages inbound.
  • Allow traceroute—TTL-Exceeded and Port-Unreachable messages inbound.
  • Allow path MTU—ICMP Fragmentation-DF-Set messages inbound.

Don't let poor configuration lead to hacker probing and attacks that are easily blocked. These three simple steps provide a lot of network security.

Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.

Editor's Picks

Free Newsletters, In your Inbox