Block bad ICMP messages (ICMP Smurf, Ping of Death,
ICMP Flood Attacks, ICMP Nuke Attacks)
Takeaway: The ICMP protocol facilitates
the use of important administrator utilities such as ping
and traceroute, but it can also be manipulated by hackers
to get a snapshot of your network. Learn what ICMP traffic
to filter and what to allow.
This article originally appeared in the Security Solutions
Although most network administrators do a fairly good job
of filtering TCP and UDP traffic, many forget to filter
ICMP traffic. ICMP traffic is necessary for troubleshooting
TCP/IP and for managing its flow and proper function. However,
ICMP is also dangerous. Hackers can use it to map and attack
networks, so it needs to be restricted.
Like TCP and UDP, ICMP is a protocol within TCP/IP that
runs over IP. Unlike TCP and UDP, ICMP is a Network Layer
protocol and not a Transport Layer protocol. For more information
on ICMP, see its request for comments (RFC) on the
IETF's Web site.
Some ICMP message types are necessary for network administration.
Unfortunately, hackers have found a way to turn a good network
tool into an attack. The most common types of ICMP attacks
- ICMP packet magnification (or ICMP Smurf):
An attacker sends forged ICMP echo packets to vulnerable
networks' broadcast addresses. All the systems on those
networks send ICMP echo replies to the victim, consuming
the target system's available bandwidth and creating
a denial of service (DoS) to legitimate traffic.
- Ping of death: An attacker sends an ICMP
echo request packet that's larger than the maximum IP
packet size. Since the received ICMP echo request packet
is larger than the normal IP packet size, it's fragmented.
The target can't reassemble the packets, so the OS crashes
- ICMP flood attack: A broadcast storm of pings
overwhelms the target system so it can't respond to
- ICMP nuke attack: Nukes send a packet of
information that the target OS can't handle, which causes
the system to crash.
Several common tools that use ICMP are necessary for normal
administration, management, and troubleshooting on your
network. These tools include ping, traceroute, and path
Maximum Transmit Unit (MTU) discovery.
When you ping a destination network address, you're sending
an ICMP packet with message type 8 (Echo) code 0 (Echo--Request)
to that address. The ICMP reply packet has a message type
0 (Echo) code 0 (Echo--Reply).
When you run a traceroute to a target network address, you
send a UDP packet with one time to live (TTL) to the target
address. The first router this packet hits decreases the
TTL to 0 and rejects the packet. Now the TTL for the packet
is expired. The router sends back an ICMP message type 11
(Exceeded) code 0 (TTL--Exceeded) packet to your system
with a source address. Your system displays the round-trip
time for that first hop and sends out the next UDP packet
with a TTL of 2.
This process continues until you receive an ICMP message
type 3 (Unreachable) code 3 (Port--Unreachable) from the
destination system. Traceroute is completed when your machine
receives a Port-Unreachable message.
If you receive a message with three asterisks [* * *] during
the traceroute, a router in the path doesn't return ICMP
messages. Traceroute will continue to send UDP packets until
the destination is reached or the maximum number of hops
Path MTU discovery
When you begin a TCP/IP session between two machines, TCP/IP
tries to negotiate the size of packets that can be sent
during the session. This is called path MTU discovery. The
machine that initiates the connection will send the largest
packet it can with the Don't Fragment (DF) bit set.
If any router in the path has a smaller MTU, it will drop
the packet with the DF bit set. That router will send an
ICMP message type 3 (Unreachable) code 4 (Fragmentation--DF--Set)
back to the initiating system. On the initiating system,
TCP/IP will decrease the packet size and resend the packet.
The bottom line
Without getting into vendor specifics, disable IP-directed
broadcasts to all of your routers to keep your network healthy.
Letting traceroute, ping, or any of the other ICMP messages
into and through your network from the Internet is an invitation
for network mapping, and it could lead to an attack.
You can protect your network from attack by implementing
three simple network rules:
- Allow ping—CMP Echo-Request outbound and Echo-Reply
- Allow traceroute—TTL-Exceeded and Port-Unreachable
- Allow path MTU—ICMP Fragmentation-DF-Set messages
Don't let poor configuration lead to hacker probing and
attacks that are easily blocked. Applying these three rules
and blocking other types of ICMP traffic can provide a lot
of network security with minimal effort.