ICMP Overview

8/9/2019 ICMP Overview

1/55


2/55

Introduction.i. ICMP Position.ii. ICMP Packets. Basic Functionality. Header Format. ICMP Functions. ICMP Message Classes.

Types of Messages. ICMP Applications- Ping, Trace route. Issues. Conclusion.


3/55

Introduction

ICMP is an error reporting protocol.

ICMP is part of Internet protocol suite and isdefined in RFC 792.

It corrects the network problems as a whole butdoes not correct the individual packet problems.


4/55

ICMP is a complementary protocol to IP thatresides on the network layer.

ICMP is a communication protocol between IP

protocol implementations on two connected

systems.

It provides feedback to sender on problems as

well as internet settings such subnet masks.


5/55


6/55

ICMP packets are sent in IP datagrams.

Two levels of encapsulation occur when an ICMP

message is transmitted across a physical network.

ICMP Header ICMP Data Area

IP Header IP Data Area

Frame Header Frame Area


7/55


8/55

Host A

But problem in Router R3

R3

IP Datagram

Host B

ICMPmessage

Host A


9/55

ICMP has fixed headerof 4 bytes

- Type

Type of message

- Code

Subtype of message

- Checksum1s complement

computed over entireICMP message

- Checksum set to zero


10/55

Announce Network Errors :

A kind of failure causes a host or the entire network to be

unreachable.

Announce Network Congestion :

Too many packets are buffered by the router, but it cannottransmit them at the same speed which causes network

congestions.


11/55

Assist Troubleshooting :

ICMP supports an Echo function which sends a packet on a

roundtrip between two hosts

Announce Time outs:

If an IP packets TTL field drops to zero the

router discards that packet and generates ICMP

indicating this fact.


12/55

Error Messages: These messages are used to provide feedback to a source device

about an error that has occurred. They are usually generated specifically in

response to some sort of action, usually the transmission of a datagram. Errors are

usually related to the structure or content of a datagram, or to problem situations

on the internetwork encountered during datagram routing.

Informational (or Query) Messages: These are messages that are used to let

devices exchange information, implement certain IP-related features, and perform

testing. They do not indicate errors and are typically not sent in response to a

regular datagram transmission. They are generated either when directed by an

application, or on a regular basis to provide information to other devices. An

informational ICMP message may also be sent in reply to another informational

ICMP message, since they often occur in request/reply or

solicitation/advertisement functional pairs.


13/5513

ICMP Message TypesType Description ICMP Message Types

0 Echo Reply (Ping Reply, used with Type 8, Ping Request)

3 Destination Unreachable

4 Source Quench

5 Redirect

8 Echo Request (Ping Request, used with Type 0, Ping Reply)

9 Router Advertisement (Used with Type 9)

10 Router Solicitation (Used with Type 10)

11 Time Exceeded

12 Parameter Problem

13 Timestamp Request (Used with Type 14)

14 Timestamp Reply (Used with Type 13)

15 Information Request (obsolete) (Used with Type 16)

16 Information Reply (obsolete) (Used with Type 15)

17 Address Mask Request (Used with Type 17)

18 Address Mask Reply (Used with Type 18)


14/55

14

The DESTINATION UNREACHABLE message is used when the subnet or a router

cannot locate the destination.

The TIME EXCEEDED message is sent when a packet is dropped because its counter

has reached zero. This event is symptom that packets are looping, that there is enormous

congestion, or that the timer values are being set too low.

The PARAMETER PROBLEM message indicates that an illegal value has been

detected in a header field. This problem indicates a bug in the sending hosts IP software

or possibly in the software of a router transited.

The SOURCE QUENCH message was formerly used to throttle hosts that were

sending too many packets. When a host received this message, it was expected to slowdown. It is rarely used any more when congestion occurs.

Message Types Contd.


15/55


16/55


17/55

If a router finds that a network is congested,

router sends ICMP source quench message to thesource.

The source then sets the window size to minimum

after receiving this message.


18/55

18

The REDIRECT MESSAGE is used when a router notices that a packet seems to be routed

wrong. It is used by the router to tell the sending host about the probable error.The ECHO and ECHO REPLY messages are used to see if a given destination is reachable and

alive. Upon receiving the ECHO message, the destination is expected to send an ECHO REPLY

message back.

The TIMESTAMP REQUEST and TIMESTAMP REPLY messages are similar, except that

the arrival time of the message and the departure time of the reply are recorded in the reply. Thisfacility is used to measure network performance.

Message Types Contd


19/55

19

Code Definition

0 Net Unreachable

1 Host Unreachable

2 Protocol Unreachable

3 Port Unreachable

4 Fragmentation needed & Dont Fragment was set

5 Source Route failed

6 Destination Network Unknown

7 Destination Host Unknown

8 Source Host Isolated

9 Communication Destination Network is AdministrativelyProhibited

10 Communication Destination Host is Administratively Prohibited11 Destination Network Unreachable for Type of Service

12 Destination Host Unreachable for Type of Service

13 Communication Administratively Prohibited

14 Host Precedence Violation

15 Precedence Cutoff Violation

Destination Unreachable Codes


20/55

20

Code Definition

0 Redirect Datagram for the Network (or subnet)

1 Redirect Datagram for the Host

2 Redirect Datagram for the Type of Service & Network

3 Redirect Datagram for the Type of Service & Host

Redirect Codes


21/55


22/55

Time Exceeded Codes

Code Definition

0 Time to Live Exceeded in Transit

1 Fragment Reassembly TimeExceeded

Parameter Problem Codes

Code Definition

0 Pointer Indicates theError

1 Missing a RequiredOption

2 Bad Length


23/55


24/55

ICMP-APPLICATIONS

The two important applications based on

ICMP are:

PING

Traceroute


25/55

Ping:

A program for checking if host is aliveExists in most Operation Systems

Sends ICMP message of type Echo Request

Receiver answers with ICMP messages of type

Echo ReplyFormat:

Ping ip address.

Ping 192.161.72.1


26/55

What Ping can tell you?

If packets have been dropped,duplicated or reordered.

Detects some forms of damagedpacket.

Round Trip Time (RTT): How long eachpacket exchange took.

Other ICMP messages.


27/55

What a Ping cannot tell:

Ping cannot provide reasons whypackets go unanswered.

Ping cannot tell why a packet wasdamaged, duplicated or delayed.

Ping can not give you a blow-by-blowdescription of every host that handledthe packet and everything thathappened at every step of the way.


28/55

Ping The PING utility is actually

an ICMP Echo process.

An ICMP Echo Request

packet consists of anEthernet header, IPheader, ICMP header,and some undefined

data.

This packet is sent to thetarget host, which echoesback that data, as shown

in Figure 4-1.

The ICMP echo request isa connectionless processwith no guarantee of

delivery.


29/55

ICMPECHOREQUEST

ICMPECHO

REPLY


30/55

EVENT FLOWDIAGRAM


31/55


32/55


33/55


34/55


35/55


36/55


37/55


38/55

TRACEROUTE:

Traceroute measures the number of hops requiredto reach a destination.

It sends an IP packet with Time To Live(TTL) set

to 1. When a router decrements the TTL to zero, it

discards the packet and sends an ICMP packet to

the source to inform it of the problem.

Repeats this with increasing number TTL values.


39/55


40/55


41/55


42/55


43/55


44/55


45/55


46/55


47/55

Maximum Transmission Unit(MTU)

When a router receives a datagram, that is larger than theMTU of the network over which it is to be sent, the router

divides the datagram into smaller pieces called Fragments.

An IP datagram divided into three fragments. Each fragment

carries some data from the original datagram, and has an IP

header similar to the original datagram.


48/55

MAXIMUM TRANSMISSION UNIT

Another application of ICMP is to determine the MTU

along a path.

Sending packets with the do not fragment flag will

cause a node to send an ICMP message back to thesource when a packet needs to be fragmented. This

ICMP message includes the maximum packet size

allowed at that point.

IP can adjust to sending packets that wont fragmentalong the way.


49/55

Issues:

ICMP redirect messages can be used to trick routers andhosts acting as routers into using false'' routes; thesefalse routes would aid in directing traffic to an attacker'ssystem instead of a legitimate trusted system.

This could in turn lead to an attacker gaining access tosystems that normally would not permit connections tothe attacker's system or network.

Older versions of UNIX could drop all connectionsbetween two hosts even if only one connection wasexperiencing network problems.

S f D S Att k


50/55

Smurf DoS Attack

Send ping request to broadcast addr (ICMP EchoReq)

Lots of responses:

Every host on target network generates a pingreply (ICMP Echo Reply) to victim

Ping reply stream can overload victim

gatewayDoS

Source

DoSTarget

1 ICMP Echo ReqSrc: Dos Target

Dest: brdct addr

3 ICMP Echo ReplyDest: Dos Target


51/55

Disable IP-directed broadcasts at your leaf routers: to deny IP

broadcast traffic onto your network from other networks (in

particular from the Internet)

A forged source is required for the attack to succeed. Routers

must filter outgoing packets that contain source addresses not

belonging to local sub networks.


52/55

ICMP is an error reporting and network

management system.

ICMP provides vital feedback about IP routing

and delivery problems

Although ICMP messages fall within various

well-documented types, and behave as a separate

protocol at the TCP/IP Network layer, ICMP isreally part and parcel of IP itself, and its support

is required in any standards-compliant IP

implementation


53/55

QUESTIONS?

1. Where is ICMP placed in the OSI model?

Next to IP in the network layer

2. Can ICMP report error in ICMP messages itself?

No.

3. What are the two most important applications of ICMP?

PING

TraceRoute

4. What are the two message classes in ICMP?

Error messages

Information messages


54/55

http://www.ietf.org/rfc/rfc792.txt http://www.softpanorama.org/Net/Internet_layer/icm

p.shtml

http://www.cs.princeton.edu/~mef/research/napt/reports/usenix98/presentation/sld008.htm

http://www.kbcafe.com/articles/HowTo.PING.pdf

http://en.wikipedia.org/wiki/ICMP

http://www.freesoft.org/CIE/Topics/81.htm
http://www.softpanorama.org/Net/Internet_layer/icmp.shtmlhttp://www.softpanorama.org/Net/Internet_layer/icmp.shtmlhttp://www.softpanorama.org/Net/Internet_layer/icmp.shtmlhttp://www.cs.princeton.edu/~mef/research/napt/reports/usenix98/presentation/sld008.htmhttp://www.cs.princeton.edu/~mef/research/napt/reports/usenix98/presentation/sld008.htmhttp://www.kbcafe.com/articles/HowTo.PING.pdfhttp://en.wikipedia.org/wiki/ICMPhttp://en.wikipedia.org/wiki/ICMPhttp://www.kbcafe.com/articles/HowTo.PING.pdfhttp://www.cs.princeton.edu/~mef/research/napt/reports/usenix98/presentation/sld008.htmhttp://www.cs.princeton.edu/~mef/research/napt/reports/usenix98/presentation/sld008.htmhttp://www.softpanorama.org/Net/Internet_layer/icmp.shtmlhttp://www.softpanorama.org/Net/Internet_layer/icmp.shtmlhttp://www.softpanorama.org/Net/Internet_layer/icmp.shtmlhttp://www.softpanorama.org/Net/Internet_layer/icmp.shtml


55/55

Thank You

ICMP Overview

Documents