07 Apr, 2023

Internet Control Message Protocol (ICMP)

Penetration Testing as a service (PTaaS)

Tests security measures and simulates attacks to identify weaknesses.

ICMP is a protocol that is part of the Internet Protocol (IP) suite. It is used for sending error messages and operational information about network conditions between network devices, such as routers and hosts.

The full description of ICMP is “Internet Control Message Protocol”. It is a network layer protocol that is used by network devices to communicate with each other. It is designed to provide feedback about network issues, such as unreachable hosts or network congestion.

ICMP messages are typically generated automatically by network devices, such as routers or firewalls. Some common ICMP messages include “ping” requests and responses, which are used to test the reachability of a host on a network.

Standard commands from unauthorized users

Ping Flood Attack: This attack involves sending a large number of ICMP echo requests to a target system, causing it to become unresponsive to legitimate traffic.

Ping of Death Attack: This attack involves sending an oversized ICMP packet to a target system, causing it to crash or become unstable.

Smurf Attack: This attack involves sending a large number of ICMP echo requests to a network’s broadcast address, causing all hosts on the network to respond with ICMP echo replies to the target system, overwhelming it with traffic.

Tools for using protocol ICMP

Manual Tools:

  • Ping: One of the most basic and commonly used tools for testing ICMP. It sends an ICMP echo request packet to a target host and waits for a response.

  • Traceroute: A tool used to trace the path that an ICMP packet takes from a source host to a destination host. It sends a series of ICMP packets with increasing Time-to-Live (TTL) values and records the IP addresses of the routers that the packets pass through.

  • Hping: A command-line tool that can send various types of ICMP packets, including echo requests and timestamp requests. It can also be used to send TCP/UDP packets and perform other network testing functions.

  • Nmap: A popular network scanning tool that can be used to send ICMP packets to hosts and perform a variety of other network tests.

  • Netcat: A versatile networking utility that can be used to send and receive ICMP packets, as well as perform a variety of other network tasks.

  • fping: A ping utility that can send multiple ICMP echo requests at once and display the results in a list format.

  • Paping: A ping utility that can perform more advanced timing and performance measurements than the standard ping utility.

  • Smokeping: A web-based tool that can monitor network latency and packet loss by sending ICMP packets at regular intervals.

  • Icmpsh: A tool that allows remote command execution over ICMP echo request and reply packets. It can be used for network reconnaissance and penetration testing.

Automated Tools:

  • Zabbix: A network monitoring tool that can send ICMP packets to hosts and alert administrators when network issues arise.

  • PRTG: A network monitoring tool that can send ICMP packets to hosts and perform other network tests to monitor performance and availability.

  • Nagios: A popular network monitoring tool that can send ICMP packets to hosts and alert administrators when issues arise.

  • SolarWinds Network Performance Monitor: A comprehensive network monitoring tool that can send ICMP packets to hosts and perform other network tests to monitor performance and availability.

  • Spiceworks Network Monitor: A free network monitoring tool that can send ICMP packets to hosts and alert administrators when issues arise.

  • Nmap Scripting Engine (NSE): A feature of the Nmap network scanning tool that allows users to write custom scripts for sending ICMP packets and performing other network tests.

  • Wireshark: A network protocol analyzer that can capture and analyze ICMP packets, as well as other types of network traffic.

  • Scapy: A Python-based tool for network testing and packet manipulation that can send and receive ICMP packets, as well as other types of network traffic.

  • Netzob: A tool for reverse engineering network protocols that can be used to test ICMP implementations and analyze packet structures.

  • Metasploit Framework: A popular penetration testing tool that includes ICMP-based exploits for testing network security.

  • Cain and Abel: A Windows-based network testing tool that includes ICMP-based features for network scanning and penetration testing.

Last five known CVE for ICMP

CVE-2023-23415 – Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability

CVE-2023-22411 – An Out-of-Bounds Write vulnerability in Flow Processing Daemon (flowd) of Juniper Networks Junos OS allows an unauthenticated, network-based attacker to cause Denial of Service (DoS). On SRX Series devices using Unified Policies with IPv6, when a specific IPv6 packet goes through a dynamic-application filter which will generate an ICMP deny message, the flowd core is observed and the PFE is restarted. This issue affects: Juniper Networks Junos OS on SRX Series: 19.2 versions prior to 19.2R3-S6; 19.3 versions prior to 19.3R3-S6; 19.4 versions prior to 19.4R3-S9; 20.2 versions prior to 20.2R3-S5; 20.3 versions prior to 20.3R3-S4; 20.4 versions prior to 20.4R3-S3; 21.1 versions prior to 21.1R3; 21.2 versions prior to 21.2R3; 21.3 versions prior to 21.3R2; 21.4 versions prior to 21.4R2.

CVE-2023-22391 – A vulnerability in class-of-service (CoS) queue management in Juniper Networks Junos OS on the ACX2K Series devices allows an unauthenticated network-based attacker to cause a Denial of Service (DoS). Specific packets are being incorrectly routed to a queue used for other high-priority traffic such as BGP, PIM, ICMP, ICMPV6 ND and ISAKMP. Due to this misclassification of traffic, receipt of a high rate of these specific packets will cause delays in the processing of other traffic, leading to a Denial of Service (DoS). Continued receipt of this amount of traffic will create a sustained Denial of Service (DoS) condition. This issue affects Juniper Networks Junos OS on ACX2K Series: All versions prior to 19.4R3-S9; All 20.2 versions; 20.3 versions prior to 20.3R3-S6 on ACX2K Series; 20.4 versions prior to 20.4R3-S4 on ACX2K Series; All 21.1 versions; 21.2 versions prior to 21.2R3-S3 on ACX2K Series. Note: This issues affects legacy ACX2K Series PPC-based devices. This platform reached Last Supported Version (LSV) as of the Junos OS 21.2 Release.

CVE-2023-20051 – A vulnerability in the Vector Packet Processor (VPP) of Cisco Packet Data Network Gateway (PGW) could allow an unauthenticated, remote attacker to stop ICMP traffic from being processed over an IPsec connection. This vulnerability is due to the VPP improperly handling a malformed packet. An attacker could exploit this vulnerability by sending a malformed Encapsulating Security Payload (ESP) packet over an IPsec connection. A successful exploit could allow the attacker to stop ICMP traffic over an IPsec connection and cause a denial of service (DoS).

CVE-2022-45434 – Some Dahua software products have a vulnerability of unauthenticated un-throttled ICMP requests on remote DSS Server. After bypassing the firewall access control policy, by sending a specific crafted packet to the vulnerable interface, an attacker could exploit the victim server to launch ICMP request attack to the designated target host.

Useful information

ICMP is a third layer (network layer) protocol in the OSI seven-layer model. It helps diagnose network connectivity or data transmission issues between devices by sending, receiving, and processing ICMP messages to report connectivity issues to the source network device.

ICMP is a connectionless protocol used for network management purposes. It does not include associated processes involving establishing and closing connections, as TCP does, nor does ICMP allow for targeted ports on devices.

ICMP is a protocol that network devices, such as routers, use to generate error messages when network issues are preventing IP packets from getting through. ICMP creates and sends messages to the source IP address indicating that a gateway to the Internet, service, or host cannot be reached for packet delivery. 

ICMP is an error-reporting protocol that network devices such as routers use to generate error messages to the source IP address when network problems prevent the delivery of IP packets. 

Known banners

  • ICMP Echo Request (Ping Request): This type of ICMP packet is commonly used to test network connectivity between two devices. It sends an echo request to a target host and waits for a reply. If the target host responds, it indicates that there is connectivity between the two devices.

  • ICMP Destination Unreachable: This type of ICMP packet is sent by a router or other network device to indicate that it is unable to deliver an IP packet to its destination. The error message may indicate the reason for the failure, such as an unknown host, network congestion, or a firewall blocking the traffic.

  • ICMP Time Exceeded: This type of ICMP packet is sent by a router or other network device to indicate that an IP packet has exceeded its time-to-live (TTL) value and has been discarded. The error message may indicate the hop count at which the packet was discarded, which can help diagnose routing issues.

  • ICMP Redirect: This type of ICMP packet is sent by a router to a device to inform it that a better route to a destination exists. The packet contains the IP address of the new gateway to use for the destination.

Books for studies ICMP 

ICMP by Beau Williamson: This book covers the ICMP protocol in detail, including its history, structure, and uses for network troubleshooting and management.

TCP/IP Illustrated, Volume 1: The Protocols by W. Richard Stevens: While not specifically focused on ICMP, this classic book covers the TCP/IP protocol suite in detail, including ICMP and its uses for network management and troubleshooting.

Practical Packet Analysis, Third Edition: Using Wireshark to Solve Real-World Network Problems by Chris Sanders: This book focuses on using the Wireshark network protocol analyzer to analyze and troubleshoot network problems, including issues related to ICMP.

Computer Networking Problems and Solutions: An innovative approach to building resilient, modern networks by Russ White and Ethan Banks: This book covers a range of networking topics, including ICMP and its uses for network management and troubleshooting.

Routing TCP/IP, Volume II: CCIE Professional Development by Jeff Doyle and Jennifer DeHaven Carroll: This book is aimed at networking professionals preparing for the CCIE certification exam and covers advanced networking topics, including ICMP and its use in network management and troubleshooting.

List of Payload for ICMP

  • ICMP Echo Request (Ping Request): This message includes a payload of arbitrary data that is sent to the target host. The payload can be used for testing network connectivity or measuring network latency.

  • ICMP Information Request: This message includes a payload that specifies the type of information being requested, such as the time on the target host or its network configuration.

  • ICMP Router Advertisement: This message includes a payload that specifies the network prefix and other configuration information for routers on the local network.

  • ICMP Redirect: This message includes a payload that specifies the IP address of the new gateway to use for a destination.

  • ICMP Address Mask Request: This message includes a payload that specifies the subnet mask for the target host’s network.

Mitigation

  1. One of the simplest ways to mitigate ICMP attacks is to filter ICMP traffic at the network edge using a firewall or intrusion prevention system (IPS). This can be done by blocking certain types of ICMP messages or limiting the rate of ICMP traffic.

  2. Another strategy is to limit the rate of ICMP traffic that is allowed to enter the network. This can help prevent ICMP flood attacks, which overwhelm a network with a large volume of ICMP traffic.

  3. Many routers have built-in mechanisms to limit the rate of ICMP traffic. Enabling these features can help prevent ICMP-based attacks and improve network stability.

  4. Network intrusion detection and prevention systems (IDS/IPS) can help detect and block attacks that abuse ICMP. These systems can be configured to alert administrators or automatically block traffic that meets certain criteria.

  5. Monitoring ICMP traffic can help identify unusual patterns or spikes in traffic that may indicate an attack. Network administrators can use tools like Wireshark or tcpdump to capture and analyze ICMP traffic.

Conclusion

ICMP is a crucial protocol used for network management, error reporting, and diagnostic purposes. It is an integral part of the Internet infrastructure and is used by virtually all network devices. ICMP messages are typically small and are used to report errors or provide information about network conditions.

While ICMP is an important protocol, it can also be used for malicious purposes, such as DoS attacks. To mitigate the risks associated with ICMP-based attacks, network administrators can use a variety of techniques, including filtering ICMP traffic, limiting the rate of ICMP traffic, and using IDS/IPS systems to detect and block attacks.

Other Services

Ready to secure?

Let's get in touch