ICMP Attacks – Types & Codes For Log Analysis , Detection & Defense

0


Internet Control Message Protocol (ICMP) is used for reporting errors and performing network diagnostics. In the error reporting process, ICMP sends messages from the receiver to the sender when data does not come through as it should. Within the diagnostic process, ICMP is used to send messages that are used by ping and traceroute to provide information regarding how data is transmitted. It is a classic example of a client-server application.


It can be used to show:

  • when a specific End System (ES) isn’t responding,
  • when an IP network isn’t reachable,
  • when a node is overloaded,
  • when an IP header information error occurs, and so on.

The protocol is also frequently used by Internet managers to verify correct operations of End Systems (ES) and to check that routers are correctly routing packets to the specified destination address.

ICMP and ping are two different things although they are related. ICMP is a protocol that controls how messages are sent between devices. The echo requests and replies the ICMP protocol sends are commonly referred to as pings. So while a ping is produced using ICMP, it is not ICMP.

ICMP types and corresponding codes:

Many of these ICMP types have a “code” field. The types are listed below, along with the code fields that correspond to them.

TypeNameCode
0Echo Reply (used by “ping”)0-No code
1UnassignedNA
2UnassignedNA
3Destination Unreachable0 Net Unreachable
1 Host Unreachable
2 Protocol Unreachable
3 Port Unreachable
4 Fragmentation Needed and Don’t Fragment was Set
5 Source Route Failed
6 Destination Network Unknown
7 Destination Host Unknown
8 Source Host Isolated
9 Communication with Destination Network is Administratively Prohibited
10 Communication with Destination Host is Administratively Prohibited
11 Destination Network Unreachable for Type of Service
12 Destination Host Unreachable for Type of Service
13 Communication Administratively Prohibited
14 Host Precedence Violation
15 Precedence cutoff in effect
4Source Quench 0-No code
5Redirect0 Redirect Datagram for the Network (or subnet)
1 Redirect Datagram for the Host
2 Redirect Datagram for the Type of Service and Network
3 Redirect Datagram for the Type of Service and Host
6Alternate Host Address0 Alternate Address for Host
7 Unassigned NA
8Echo (used by “ping”)0 No Code
9Router Advertisement0 Normal router advertisement
16 Does not route common traffic
10Router Selection 0 No Code
11Time Exceeded0 Time to Live exceeded in Transit
1 Fragment Reassembly Time Exceeded
12Parameter Problem0 Pointer indicates the error
1 Missing a Required Option
2 Bad Length
13Timestamp 0 No Code
14Timestamp Reply 0 No Code
15Information Request 0 No Code
16Information Reply 0 No Code
17Address Mask Request 0 No Code
18Address Mask Reply 0 No Code
19Reserved (for Security)NA
20-29Reserved (for Robustness Experiment)NA
30Traceroute NA
31Datagram ConversionNA
31ErrorNA
32Mobile Host Redirect NA
33IPv6 Where-Are-You NA
34IPv6 I-Am-Here NA
35Mobile Registration RequestNA
36Mobile Registration ReplyNA
37Domain Name RequestNA
38Domain Name ReplyNA
39SKIPNA
40Photuris0 = Bad SPI
1 = Authentication Failed
2 = Decompression Failed
3 = Decryption Failed
4 = Need Authentication
5 = Need Authorization

How Does ICMP Work?

ICMP is a unique protocol. No connection is formed. The message is sent in a straightforward manner. Furthermore, unlike TCP and UDP, which specify the ports to which data is carried, the ICMP message has no information that directs it to a specific port on the device that will receive it.

Also Read: Soc Interview Questions and Answers – CYBER SECURITY ANALYST

Why do we need ICMP?

  • ICMP is used to report errors.  ICMP always reports error message to the original source.
  • If any of the data did not arrive as expected, ICMP can be used to create errors that can be sent from the receiving device to the sending device whenever two devices are linked via the internet.
  • Extremely huge data packets, for example, may be too massive for a router to handle. The router will then discard the data packet and send an ICMP message to the sender notifying it of the problem.
  • The destination of the ICMP message is not an application program or user, but the IP software on the machine.
  • ICMP is used as a diagnostic tool to evaluate the performance of a network.

Utilities of ICMP:

PING: A ping is comparable to a traceroute, however it is easier to use. It shows how long data takes to travel between two places.  Sends ICMP Echo requests and monitors ICMP Echo replies.

TraceRoute: Sends a sequence of ICMP Echo requests with increasing TTL values starting from 1 and monitors the ICMP Time Exceeded Messages or ICMP Echo reply from destination. 

The devices that a packet of data passed through on its way to its destination are displayed in the report when the traceroute is utilized. The traceroute also shows how long it takes for the data to go from one device to the next. The traceroute information can be used to determine which devices along the route are causing delays.

ICMP attacks:

The ICMP protocol is also used to investigate network performance. Even though analysts are using the ICMP most of the time, hackers will put their dirty hands to target machines via ICMP attacks. An ICMP flood, a Smurf attack, and a ping of death attack are used to overwhelm a network device and prohibit regular performance.

Types:

  • ICMP Tunneling
  • ICMP Router Discovery
  • Smurf attack
  • Fraggle Attack
  • ICMP flood attack
  • Ping of death attack
  • Information Gathering
  • Trace Route
  • Port Scan
  • OS fingerprinting
  • Teardrop

Explanation:

ICMP Tunneling:

  • ICMP tunneling is a command-and-control (C2) attack mechanism that sends hostile traffic via perimeter defenses while remaining undetected. Malicious data is buried within normal-looking ICMP echo requests and echo replies as it passes through the tunnel.
  • Because ICMP is a trusted protocol that aids administrators, it’s common for ICMP messages to pass through firewalls and network segments that generally block inbound and outbound harmful traffic.
  • From little pieces of code to a big encapsulated HTTP, TCP, or SSH packet, malicious data can be inserted into an ICMP datagram. A datagram is similar to a packet, except it does not require a connection to be created or confirmation that the message was received (unlike connection-based protocols like TCP). ICMP datagrams include a data section that can carry a payload of any size
  • Several ICMP echo request and response messages are transmitted between the compromised device and the attacker-controlled C2 server over time, with each ICMP echo message containing distinct payloads of commands or exfiltrated data.
  • However, there are certain drawbacks to this method. To create custom ICMP datagrams, certain operating systems require root or local administrator rights, which can be difficult for an attacker to obtain.

How to Detect ICMP Tunneling:

  • It can be difficult to detect ICMP tunnel traffic. With echo messages with odd payloads, the software might legitimately test good network connections. Unencrypted payloads of ICMP communications can be analyzed more extensively using tools like Wireshark to see if they contain malicious content. To avoid detection, an attacker can still encrypt ICMP payloads.
  • Keep an eye on your network traffic for unusually high ICMP traffic volumes and non-standard or odd ICMP datagram sizes. Because genuine ICMP echo requests and responses contain unique IDs and payloads of a fixed or standard size, such as 64 bytes.
  • Tunneling traffic could be indicated by a network device sending ICMP messages with unusually big payloads or sending more ICMP messages than usual.
  • A defender can look into the transactions connected with the victim device to see if they communicated with a potentially dangerous external endpoint. You can also choose whether ICMP message network traffic should be allowed to leave the network.

How to Prevent ICMP Tunneling:

Since ICMP is important for maintaining stable network connections, limiting all ICMP traffic can be problematic. Threat intelligence-identified malicious endpoints and domains can be blocked at the perimeter. Firewalls can also be configured to prevent outbound pings to external endpoints and only allow fixed-sized ICMP packets through.

Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes

ICMP Router Discovery:

  • The IP address of surrounding routers is discovered via the ICMP router discovery protocol. “Router Advertisements” or “Router Solicitations” are the ICMP router discovery messages. A routing protocol is not the router discovery message.
  • Router advertisement is an ICMP message (type 9, code 0) with an advertisement lifetime. The fundamental disadvantage of the ICMP router discovery protocol is that it lacks any kind of authentication, making it hard for end hosts to determine whether the data they get is accurate.

Attack based on it:

  • Spoofing ICMP router discovery messages allows attackers to remotely add bogus route entries to a victim’s routing table. As a result, the frames would be forwarded to the erroneous address, and the victim’s system would be unable to connect to other networks. Such attacks can result in a Denial of Service attack, which can be quite damaging.
  • An attacker can use a man-in-the-middle attack, in which the attacker acts as a go-between for all communication between the source and the endpoint.

Mitigation:

Digital signatures and blocking all type 9 and type 10 ICMP packets are two techniques used to prevent ICMP route finding.

Smurf attack

An attacker uses a spoofed or forged IP address to send an ICMP packet in a Smurf attack. When network equipment responds, each response is forwarded to the falsified IP address, inundating the target with ICMP packets. When a type 8 is sent, a type 0 is returned, and when an echo request is sent, an ICMP echo reply is sent.

Smurf attack security measures:

Filters should be applied on L3 devices to prevent them from responding to broadcast addresses.  And to prevent address spoofing, implement filters on routers and firewalls. A LAN segment should be assigned an IP address, and communication should be dropped if the originating machine’s IP address is not in the range of IP addresses assigned to the segment.

Fraggle Attack

The Fraggle attack is similar to the Smurf attack, except instead of using the ICMP protocol, it uses the UDP protocol. The defense against these attacks is nearly comparable to the defense against Fraggle attacks.

ICMP flood attack

An ICMP flood bombards the target resource with ICMP Echo Request (ping) packets, sending them as quickly as possible and without waiting for responses. Because the victim’s servers will frequently attempt to respond with ICMP Echo Reply packets, this form of attack can use both outgoing and incoming bandwidth, resulting in a large overall system slowness.

Ping of death attack:

  • The attacker sends repeated faulty or malicious pings to a computer in a ping of death (POD) assault.
  • An IP packet can have a maximum length of 65,535 bytes (including the header). The Data Link Layer, on the other hand, normally sets a limit on the maximum frame size, such as 1500 bytes over an Ethernet network. A huge IP packet is divided into many IP packets (known as fragments) in this situation, and the destination host reassembles the fragments into the full packet. 
  • In a Ping of Death case, the recipient receives an IP packet that is bigger than 65,535 bytes when reassembled as a result of malicious fragment content alteration. This can cause genuine packets to be denied service due to overflowing memory buffers allocated for the packet.

Information Gathering

Sending an ICMP echo request (type 8) to target hosts should prompt them to react with ICMP echo reply messages is a standard approach to discover hosts on the network. To determine a live host, network topology, OS fingerprinting, ACL detection, and so on, multiple ways within the ICMP can be used.

TraceRoute

  • Traceroute is a network diagnostic tool used to track in real-time the pathway taken by a packet on an IP network from source to destination, reporting the IP addresses of all the routers it pinged in between.
  • ICMP traceroutes are used by Windows, while UDP traceroutes are used by Linux-based systems. When a traceroute is initiated from a Windows PC, three ICMP echo messages with a TTL of one are delivered to the target IP addresses.
  • The ping response will be either an ICMP Time Exceeded message (indicating that the responding host is not the destination) or an ICMP Destination Unreachable message (indicating that the responding host does not know how to reach the destination IP address in the traceroute packets).
  • When the ICMP reaches one hop, the TTL value is decremented by one, and an ICMP type 11 message is delivered back to the origin point when the TTL value hits zero.
  • The TTL value is increased by one in the following phase, and the procedure is continued until the proper destination address supplied in the traceroute command is found. As a result, this activity will log the source of each ICMP Time Exceeded Message to provide a trace of the packet’s journey to its destination.

Port Scan

  • There are a variety of scanners on the market that use ICMP to determine whether a port is open or not. ICMP packets are typically sent to each designated protocol on the target machine without any content. If you receive an ICMP Protocol Unreachable error message, it signifies the protocol isn’t being used.
  • ICMP Error Messages (Protocol/Port Unreachable) can be used to determine which IP addresses or LAN segments have open ports.

Also Read: Threat Hunting using Proxy Logs – Soc Incident Response Procedure

OS fingerprinting

Each Windows and Linux family uses a separate fingerprinting approach. Fingerprinting is a technique for determining the type of operating system a server is running by examining the ICMP packet response. Now, if the ICMP reply contains a TTL value of 128 or 64, it is a Windows machine, and if the ICMP reply contains a TTL value of 128 or 64, it is a Linux-based machine.

Teardrop

  • On the Internet, this form of attack is more widespread, and precautions must be made to protect against it.
  • When a machine is exposed to a teardrop attack, it will crash or reboot. Eventually, an attacker will use ICMP packets to launch a DOS attack. Teardrop attacks take advantage of overlapping IP fragments in machines. IP packets are fragmented, with each fragment containing the original IP packet’s header and a field that notifies the TCP/IP stack how many bytes it contains.
  • The packet is broken before being transferred from source to destination. The fragments must be placed back together at the destination point. Teardrop, on the other hand, results in overlapping fields in the IP fragments. When the destination attempts to reassemble them, it is unable to do so, and if it does not know how to join these packet pieces, it will fail rapidly.

IDS Detection Rules:

Below are some of IDS rules to ICMP types and codes related attacks

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:”ICMP ISS Pinger”; itype:8; content:”ISSPNGRQ”; depth:32; reference:arachnids,158; classtype:attempted-recon; sid:465; rev:3;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:”ICMP L3retriever Ping”; icode:0; itype:8; content:”ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI”; depth:32; reference:arachnids,311; classtype:attempted-recon; sid:466; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:”ICMP Nemesis v1.1 Echo”; dsize:20; icmp_id:0; icmp_seq:0; itype:8; content:”|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|”; reference:arachnids,449; classtype:attempted-recon; sid:467; rev:3;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:”ICMP PING NMAP”; dsize:0; itype:8; reference:arachnids,162; classtype:attempted-recon; sid:469; rev:3;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:”ICMP icmpenum v1.1.1″; dsize:0; icmp_id:666 ; icmp_seq:0; id:666; itype:8; reference:arachnids,450; classtype:attempted-recon; sid:471; rev:3;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:”ICMP redirect host”; icode:1; itype:5; reference:arachnids,135; reference:cve,1999-0265; classtype:bad-unknown; sid:472; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:”ICMP redirect net”; icode:0; itype:5; reference:arachnids,199; reference:cve,1999-0265; classtype:bad-unknown; sid:473; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:”ICMP superscan echo”; dsize:8; itype:8; content:”|00 00 00 00 00 00 00 00|”; classtype:attempted-recon; sid:474; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:”ICMP traceroute ipopts”; ipopts:rr; itype:0; reference:arachnids,238; classtype:attempted-recon; sid:475; rev:3;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:”ICMP webtrends scanner”; icode:0; itype:8; content:”|00 00 00 00|EEEEEEEEEEEE”; reference:arachnids,307; classtype:attempted-recon; sid:476; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:”ICMP Source Quench”; icode:0; itype:4; classtype:bad-unknown; sid:477; rev:2;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:”ICMP Broadscan Smurf Scanner”; dsize:4; icmp_id:0; icmp_seq:0; itype:8; classtype:attempted-recon; sid:478; rev:3;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:”ICMP PING speedera”; itype:8; content:”89|3A 3B|<=>?”; depth:100; classtype:misc-activity; sid:480; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:”ICMP TJPingPro1.1Build 2 Windows”; itype:8; content:”TJPingPro by Jim”; depth:32; reference:arachnids,167; classtype:misc-activity; sid:481; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:”ICMP PING WhatsupGold Windows”; itype:8; content:”WhatsUp – A Netw”; depth:32; reference:arachnids,168; classtype:misc-activity; sid:482; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:”ICMP PING CyberKit 2.2 Windows”; itype:8; content:”|AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA|”; depth:32; reference:arachnids,154; classtype:misc-activity; sid:483; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:”ICMP PING Sniffer Pro/NetXRay network scan”; itype:8; content:”Cinco Network, Inc.”; depth:32; classtype:misc-activity; sid:484; rev:4;)
alert icmp any any -> any any (msg:”ICMP Destination Unreachable Communication Administratively Prohibited”; icode:13; itype:3; classtype:misc-activity; sid:485; rev:4;)
alert icmp any any -> any any (msg:”ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited”; icode:10; itype:3; classtype:misc-activity; sid:486; rev:4;)
alert icmp any any -> any any (msg:”ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited”; icode:9; itype:3; classtype:misc-activity; sid:487; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:”ICMP digital island bandwidth query”; content:”mailto|3A|[email protected]”; depth:22; classtype:misc-activity; sid:1813; rev:5;)

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:”ICMP Large ICMP Packet”; dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:499; rev:4;)

Conclusion:

ICMP blocking is a difficult task. Spend as much time as possible learning everything there is to know about it. After that, you’ll be able to build your view and form an opinion on what’s better for your network.


Previous articleCRLF Injection – Attack Explained , Detection & Preventions
Next articleHow to Enable Packet Filtering With Open Source Iptables Firewall/Linux Firewall?
Ambitious Blue Teamer; Enthused Security Analyst

LEAVE A REPLY

Please enter your comment!
Please enter your name here