error conditions and issuing and responding to simple requests. Perhaps because of its seemingly benign origins, some of the current mutations of ICMP for less-than-upstanding purposes seem all the more outrageous. In its pure state, ICMP is supposed to be a relatively simple and chaste protocol, but it has been altered to act as a conduit for evil purposes. Therefore, it is important to understand how this protocol is used both for its intended purposes and for malicious purposes.
This chapter examines several aspects of ICMP. First, you are introduced to some background about ICMP followed by how ICMP is used to find live hosts on a target network. Next, you learn about both the expected and unexpected uses of ICMP that you might see in your own network. You then put this ICMP theory into action by analyzing some unusual detected ICMP activity. Finally, the discussion focuses on protecting your network by blocking inbound ICMP activity and the accompanying repercussions of doing so.
ICMP Theory
Before delving into examples of ICMP traffic, let's flesh out ICMP a little by giving it some foundation and perspective. If you are already familiar with the theory of ICMP, or if the sound of ICMP theory isn't high on your quiver quotient, you can skip to the section, "Mapping
Techniques," and ping away.
Why Do You Need ICMP?
As you will recall from Chapter 2, "Introduction to TCPdump and TCP," TCP is a connectionoriented protocol with lots of overhead involved in ensuring reliable delivery. User Datagram Protocol (UDP) is a connectionless protocol that doesn't promise reliable delivery. Both UDP and TCP require a server port with which a client can communicate.
A simple request such as determining whether a host is alive, commonly known as ping, doesn't need ports to communicate and doesn't require reliable delivery. This request and several more use ICMP to deliver and respond to such traffic.
In addition, what if some kind of error condition is discovered by a router or a host, and that router or host needs to inform a sending source host of the problem? Because TCP is a more robust protocol, it handles some error conditions such as a nonlistening port by sending back a TCP response with the TCP flags of RESET/ACK set. If a TCP client or server receives too much information, it also has a mechanism to close down the receiving buffer by setting a window size of 0. This indicates that the receiving host cannot accept any more data until the current buffered data is processed.
However, UDP and IP aren't robust enough to communicate error conditions. If a UDP port is not listening or too much data is sent to a listening port, UDP has no way to convey these conditions. That is where ICMP comes in: It provides a simple means of communicating
between hosts or a router and a host to alert them to some kind of problem situation.
Where Does ICMP Fit In?
The TCP/IP Internet layering model discussed in Chapter 1, "IP Concepts," is one representation of the different layers that form data and pass the data between hosts. Figure 4.1 illustrates this.
Figure 4.1. TCP/IP Internet model.
Starting at the top, you can see the high-level application layer activity that might represent a TCP/IP application such as telnet. Next is the transport layer, with such protocols as TCP and UDP that provide the end-to-end communication between hosts. Beneath that is the Internet layer, which is responsible for getting the datagram from source to destination. Finally, there is the network layer, which transmits the datagrams over the network.
You can see from this that ICMP is in the same network layer as IP. ICMP is encapsulated in
the IP datagram after the IP header, but it is still considered to be in the same layer as IP.
Understanding ICMP
ICMP differs from TCP and UDP in several ways. For starters, ICMP has no port numbers like those found in the transport layer protocols UDP or TCP. The closest thing that ICMP has to a differentiation in services is an ICMP message type and code, the first 2 bytes in the ICMP header. These bytes tell the function of the particular ICMP message.
ICMP Types
Listing and exploring all the variations of ICMPs is beyond the scope of this book. However, www.iana.org/assignments/icmp-parameters is a great reference for those who want to know more about this topic.
Next, there is really no such thing as a client and server. In fact, when ICMP error messages are delivered, the receiving host might respond internally but might not communicate anything back to the informer. ICMP also gives no guarantees about the delivery of a message.
One of the unusual traits about ICMP is that services or ports do not have to be activated or listening. Just about every operating system can respond to an ICMP echo request (ping). The hard part is turning off the default behavior of responding to an ICMP echo request.
Another unique trait about ICMP is that it supports broadcast traffic. TCP required an exclusive client/server unicast relationship, but ICMP isn't nearly as exclusive. As the "Smurf Attack" section of this chapter shows, ICMP's willingness to respond to broadcast traffic sometimes can cause problems.
A host uses ICMP for simple replies and requests, and it uses ICMP to inform another host of some kind of error condition. For instance, a receiving host might have a problem keeping up with the traffic that the sending host is delivering to it. One of the ways that a host can inform a sending host to throttle down the delivery rate is to send it an ICMP source quench message. ICMP is used as a mechanism by routers to inform a sending host of some kind of problem. A router might deliver an ICMP "admin prohibited" message to a sending host. This means that the sending host attempted to send some kind of traffic that was forbidden by an access control list statement of a router interface.
In a situation such as this, you would expect the router to be the sender of the message because it is the one forbidding the activity. However, a router also might intervene to inform a sending host about a condition when a destination host cannot respond. If the destination