Show
Internet Control Message Protocol (ICMP) is used for reporting errors and performing network diagnostics. In the error reporting process, ICMP sends messages from the receiver to the sender when data does not come through as it should. Within the diagnostic process, ICMP is used to send messages that are used by ping and traceroute to provide information regarding how data is transmitted. It is a classic example of a client-server application. It can be used to show:
The protocol is also frequently used by Internet managers to verify correct operations of End Systems (ES) and to check that routers are correctly routing packets to the specified destination address. ICMP and ping are two different things although they are related. ICMP is a protocol that controls how messages are sent between devices. The echo requests and replies the ICMP protocol sends are commonly referred to as pings. So while a ping is produced using ICMP, it is not ICMP. ICMP types and corresponding codes:Many of these ICMP types have a “code” field. The types are listed below, along with the code fields that correspond to them.
How Does ICMP Work?ICMP is a unique protocol. No connection is formed. The message is sent in a straightforward manner. Furthermore, unlike TCP and UDP, which specify the ports to which data is carried, the ICMP message has no information that directs it to a specific port on the device that will receive it. Also Read: Soc Interview Questions and Answers – CYBER SECURITY ANALYST Why do we need ICMP?
Utilities of ICMP:PING: A ping is comparable to a traceroute, however it is easier to use. It shows how long data takes to travel between two places. Sends ICMP Echo requests and monitors ICMP Echo replies. TraceRoute: Sends a sequence of ICMP Echo requests with increasing TTL values starting from 1 and monitors the ICMP Time Exceeded Messages or ICMP Echo reply from destination. The devices that a packet of data passed through on its way to its destination are displayed in the report when the traceroute is utilized. The traceroute also shows how long it takes for the data to go from one device to the next. The traceroute information can be used to determine which devices along the route are causing delays. ICMP attacks: The ICMP protocol is also used to investigate network performance. Even though analysts are using the ICMP most of the time, hackers will put their dirty hands to target machines via ICMP attacks. An ICMP flood, a Smurf attack, and a ping of death attack are used to overwhelm a network device and prohibit regular performance. Types:
Explanation: ICMP Tunneling:
How to Detect ICMP Tunneling:
How to Prevent ICMP Tunneling: Since ICMP is important for maintaining stable network connections, limiting all ICMP traffic can be problematic. Threat intelligence-identified malicious endpoints and domains can be blocked at the perimeter. Firewalls can also be configured to prevent outbound pings to external endpoints and only allow fixed-sized ICMP packets through. Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes ICMP Router Discovery:
Attack based on it:
Mitigation: Digital signatures and blocking all type 9 and type 10 ICMP packets are two techniques used to prevent ICMP route finding. Smurf attackAn attacker uses a spoofed or forged IP address to send an ICMP packet in a Smurf attack. When network equipment responds, each response is forwarded to the falsified IP address, inundating the target with ICMP packets. When a type 8 is sent, a type 0 is returned, and when an echo request is sent, an ICMP echo reply is sent. Smurf attack security measures: Filters should be applied on L3 devices to prevent them from responding to broadcast addresses. And to prevent address spoofing, implement filters on routers and firewalls. A LAN segment should be assigned an IP address, and communication should be dropped if the originating machine’s IP address is not in the range of IP addresses assigned to the segment. Fraggle AttackThe Fraggle attack is similar to the Smurf attack, except instead of using the ICMP protocol, it uses the UDP protocol. The defense against these attacks is nearly comparable to the defense against Fraggle attacks. ICMP flood attackAn ICMP flood bombards the target resource with ICMP Echo Request (ping) packets, sending them as quickly as possible and without waiting for responses. Because the victim’s servers will frequently attempt to respond with ICMP Echo Reply packets, this form of attack can use both outgoing and incoming bandwidth, resulting in a large overall system slowness. Ping of death attack:
Information GatheringSending an ICMP echo request (type 8) to target hosts should prompt them to react with ICMP echo reply messages is a standard approach to discover hosts on the network. To determine a live host, network topology, OS fingerprinting, ACL detection, and so on, multiple ways within the ICMP can be used. TraceRoute
Port Scan
Also Read: Threat Hunting using Proxy Logs – Soc Incident Response Procedure OS fingerprintingEach Windows and Linux family uses a separate fingerprinting approach. Fingerprinting is a technique for determining the type of operating system a server is running by examining the ICMP packet response. Now, if the ICMP reply contains a TTL value of 128 or 64, it is a Windows machine, and if the ICMP reply contains a TTL value of 128 or 64, it is a Linux-based machine. Teardrop
IDS Detection Rules:Below are some of IDS rules to ICMP types and codes related attacks
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:”ICMP Large ICMP Packet”; dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:499; rev:4;) Conclusion:ICMP blocking is a difficult task. Spend as much time as possible learning everything there is to know about it. After that, you’ll be able to build your view and form an opinion on what’s better for your network. |