By Mike Mullins
While most network administrators do a fairly good job of filtering TCP and UDP traffic, many forget to filter Internet Control Message Protocol (ICMP) traffic. ICMP traffic is necessary for troubleshooting TCP/IP and for managing its flow and proper function. However, ICMP is also dangerous. Hackers can use it to map and attack networks, so it needs to be restricted.
Like TCP and UDP, ICMP is a protocol within TCP/IP that runs over IP. Unlike TCP and UDP, ICMP is a network layer protocol—not a transport layer protocol. For more information on ICMP, see its request for comments (RFC) on the Internet Engineering Task Force's (IETF) Web site.
Some ICMP message types are necessary for network administration. Unfortunately, hackers have found a way to turn a good network tool into an attack. The most common types of ICMP attacks are:
Several common tools use ICMP and are necessary for normal administration, use, and troubleshooting on your network. These tools include ping, traceroute, and path MTU discovery.
When you ping a destination network address, you're sending an ICMP packet with message type 8 (Echo) code 0 (Echo—Request) to that address. The ICMP reply packet has a message type 0 (Echo) code 0 (Echo—Reply).
When you run a traceroute to a target network address, you send a UDP packet with one time to live (TTL) to the target address. The first router this packet hits decreases the TTL to 0 and rejects the packet. Now the TTL for the packet is expired. The router sends back an ICMP message type 11 (Exceeded) code 0 (TTL—Exceeded) packet to your system with a source address. Your system displays the round trip time for that first hop and sends out the next UDP packet with a TTL of 2.
This process continues until you receive an ICMP message type 3 (Unreachable) code 3 (Port—Unreachable) from the destination system. Traceroute is completed when your machine receives a Port-Unreachable message.
If you receive a message with three asterisks [* * *] during the traceroute, then a router in the path doesn't return ICMP messages. Traceroute will continue to send UDP packets until the destination is reached or the maximum number of hops is exceeded.
When you begin a TCP/IP session between two machines, TCP/IP tries to negotiate the size of packets that can be sent during the session. This is called path MTU discovery. The machine that initiates the connection will send the largest packet it can with the DF (Don't Fragment) bit set.
If any router in the path has a smaller MTU (Maximum Transmit Unit), it will drop the packet with the DF bit set. That router will send an ICMP message type 3 (Unreachable) code 4 (Fragmentation—DF—Set) back to the initiating system. On the initiating system, TCP/IP will decrease the packet size and resend the packet.
The bottom line
Without getting into vendor specifics, to keep your network healthy, disable IP-directed broadcasts to all of your routers. Letting traceroute, ping, or any of the other ICMP messages into and through your network from the Internet is an invitation for network mapping, and it could lead to an attack.
You can protect your network from attack by implementing three simple network rules:
Don't let poor configuration lead to hacker probing and attacks that are easily blocked. These three simple steps provide a lot of network security.
Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.