TCP and UDP exist primarily to deliver upper-layer data across a network. Whether connection oriented or connectionless, fundamentally the process of delivering the data is the same: identify the source and destination application ports, format the data accordingly, and deliver the data to IP. This process works well when the network is functioning without error and when systems are operating correctly and know how to deliver data through routers and subnets to any destination, anywhere. The problem is that the network does not always work, routes fail, and data may not be able to be delivered (or it may need to be directed elsewhere to be successfully delivered). To facilitate this process, the ICMP protocol was developed. In many ways, ICMP functions like the traffic cop and policeman of the network. Because IP (and UDP) lack any mechanism for identifying that failures may occur on the network, they need an external protocol that can provide information about routing failures and to report about delivery errors, congestion delays, and other conditions on the network. Indeed, like the traffic cop notifying motorists about congestion delays or blocked intersections (routers) on the street, ICMP provides a means to control the flow of traffic in an effort to ensure that the data can be reliably delivered. An important distinction to understand about ICMP is that it is an error-reporting mechanism, not an error-correcting mechanism. That means that although ICMP can notify hosts of error conditions, ICMP natively has no means or method of actually doing anything about the error condition. Instead, ICMP relies on other protocols such as routing protocols or reliable protocols such as TCP to account for and address the particular error condition. The most well-known use of ICMP is through the use of the ping application. Ping is a network troubleshooting application that makes use of ICMP echo request and echo reply (detailed in the next section) messages to determine whether a host is responding to network traffic. This allows the user to determine the reachability and status of the target host in a pretty simple manner. If a target host responds, it is reachable and available. If it does not, depending on the echo reply message, either the target host, target network, or network somewhere between the source and destination is unreachable and unavailable. We talk more about ping in Chapter 13, "Troubleshooting Firewalls," and Appendix A, "Firewall and Security Tools". Note RFC 0792 and RFC 0950 define ICMP. ICMP Message StructureICMP controls the data being transmitted over the network through the use of numerous message types. Each ICMP message type contains specific formatting related to its function, but most implement a header and data field of varying lengths. All ICMP messages begin with the same 32 bits of data. First, 8 bits of data known as the TYPE field define the ICMP type. Next, 8 bits of data known as the CODE field provide additional information specific to the message type. Then, 16 bits of data known as the CHECKSUM ensure that the data that is delivered is the same amount of data that was transmitted. Some of the more common message types are as follows:
Note For a list of all ICMP message types, refer to http://www.iana.org/assignments/icmp-parameters. Bad ICMPICMP is one of the most abused protocols out there by the nature of what it exists to do. After all, if you want to attack a network or host, what better method to do so than to use the protocol that is designed to control network traffic in general? Consequently, a common example of "bad" ICMP is to allow any ICMP traffic from untrusted sources onto your trusted networks. For example, if you allow ICMP redirects, you leave your Internet hosts susceptible to having their traffic inadvertently routed to the wrong location. This could result in a DoS in the best case (because the traffic never makes it to the hosts that are requesting data) or could result in a data compromise (in the event that the data can be redirected to a host that the attacker controls). To address this, it is generally a good idea to block ICMP traffic, in particular between trusted and untrusted networks. The downside of this, of course, is that by blocking ICMP you also lose any of the benefits of ICMP, such as the ability to use ping to test the reachability of remote hosts. To mitigate this most firewalls allow you to define certain types of ICMP messages to permit or deny, thus allowing you to allow some ICMP traffic (such as time exceeded, destination unreachable, and echo replies) while blocking other ICMP traffic (such as redirects). ICMP messages themselves are also susceptible to manipulation (as occurs frequently with the insertion of bogus or extremely large amounts of data in an ICMP message in hopes that the target host cannot properly process the message, which may leave it in a vulnerable state). Perhaps the most well known of this kind of manipulation is known as the "ping of death," which transmitted a message that exceeded the 65,535-byte limit of the IP protocol, which would cause many target hosts to crash, resulting in a DoS. |