Introduction to ICMP
There are many security tools (such as firewalls, network intrusion devices and routers) out there that can alert network administrators of any penetrations or attacks that are occurring. But these devices, for the most part, can only detect those cyberthreats coming from the external environment.
What is also needed is some sort of detection system that can alert the network administrator of any unknown or suspicious activity that is occurring from with the various network segments.
This is where the Internet Control Message Protocol (also known as the “ICMP”) comes into play.
A review of the Internet Protocol Suite
Before reviewing all of the technical aspects of the ICMP, it is important to note that this protocol operates and supports network-based activity in what is also known as the “Internet Protocol Suite.” This model consists of the following four layers:
- The Application Layer: This is the layer in which various applications create information and data which can be communicated to other applications which reside on the same host, or even an entirely different host. It is this particular layer in which the various networking topologies are theoretically located, such as the Peer-to-Peer and Client Server (as described previously). The higher-level network protocols are also used and supported at this layer, including the following:
- Simple Mail Transfer Protocol (SMTP)
- File Transfer Protocol (FTP)
- Secure Shell (SSH)
- Hypertext Transfer Protocol (HTTP)
- The Transport Layer: This is the layer in which the actual network communications take place between different hosts that reside on the same network segment (such as those found on a LAN) or even an entirely different one (such as those found on a WAN). The most widely used communications protocol used in this layer is the Transmission Control Protocol, or TCP
- The Internet Layer: This specific layer provides the actual networking interface that defines and establishes the actual Internet as we know it today. The primary network protocol that is used here is the Internet Protocol or IP, and this defines the actual IP address
- The Link Layer: This particular layer consists of all of the protocols that are required to interconnect all of the LANs located near each other
Definition of ICMP
ICMP is an error-reporting protocol used to generate error messages to the source IP address when network problems prevent the delivery of packets. ICMP creates and sends messages to the source IP address indicating that a gateway to the Internet, service or host cannot be reached for packet delivery. (Source)
Put in simpler terms, imagine this scenario: suppose that the Primary Domain Controller (PDC) is responding to network requests that have been transmitted by the client computers. In response to these requests, the PDC attempts to make the shared resources (such as files and applications) available.
Obviously, these shared resources will be transmitted via the data packets to the client computers. But if a shared resource cannot reach its ultimate destination, then an error message is transmitted back to the PDC notifying it that the delivery of the data packets can’t be completed and that they are being returned to it.
This error reporting functionality is made available specifically by the ICMP. Thus, it is very important to keep in mind that the ICMP itself does not transmit the data packet. It only transmits the relevant error message as to why they cannot be delivered to the final destination. Because of this, the ICMP is not used in delivering the shared resources to the client computer. In other words, it is not a transport protocol that transmits information and data. Rather, the ICMP is heavily used by network administrators to pinpoint and troubleshoot any Internet connections from within the network Infrastructure by making use of diagnostic tools like Ping and Traceroute.
There are many reasons why data packets cannot reach their final destination. For example, there could be an issue with a router or hub in forwarding them onto the next point. There could be a “hiccup” in the network that is interfering with the normal flow of data packets. There could be a disconnection that exists somewhere in the network infrastructure, or even a cyberattack underway.
The ICMP is used in both Internet Protocols, which are:
- The Internet Protocol version 4 (also known as IPv4)
- The Internet Protocol version 6 (also known as the IPv6)
A technical review of the ICMP
From a historical perspective, there have been different versions of the IMCP. It was created and established by Jon Postel, who has been credited with playing a fundamental role in the implementation of the Internet as we know it today. The first ICMP standard was formulated in April of 1981 and was originally published in the RFC 777.
The ICMP has been through several iterations, and the one that is being used today has made its appearance in RFC 792 and can be seen here. This version of the ICMP has also been published by the Internet Engineering Task Force in September 1981 as well.
Because the ICMP technically resides at the Internet layer, it is actually carried by the IP packets and not the data packets that transmit the information and data from the source to the destination. The ICMP messages are sent via what are known as datagrams. More information about what that specifically is can be seen here.
The datagram contains an IP header that entirely covers or encapsulates the error message that resides in the ICMP. It is important to note that the error messages contained in the ICMP also contain the IP header from the data packet that was unable to reach its final destination. Because of this functionality, the PDC will know the data packet that could not be delivered.
When the ICMP is used in IPv4 or IPv6, the ICMP shows up after the IP packet headers of these two protocols. The ICMP is specifically identified as Protocol Number 1 and is broken down in the following order:
- The IPv4/IPv6 packet header
- A three-field ICMP header which consists of the following:
- The code that identifies the specific error message
- A “minor code” that contains more information about the error message
- A checksum that allows for the network administrator to check the integrity of the ICMP. A checksum is simply a sequence of alphanumeric characters. The network administrator uses this functionality to make sure that there are no intentional or unintentional alterations made to the ICMP
- The original data packet header which failed delivery; typically, this is about 8 bytes worth of information/data payload
The following matrix examines the codes and their corresponding messages and other pieces of information/data that are generated by the ICMP:
|Error Code||Error Message|
|0||This is an echo reply used by the Ping utility|
|3||The final destination for the data packet is unreachable|
|4||Source quench: The router is overloaded with processing incoming data packets|
|5||Redirect: A different router must be used|
|8||Echo request: This is used by the Ping utility|
|9||This is a router advertisement display|
|10||This is for a router solicitation|
|11||This is the time exceeded and is used by the Traceroute utility|
It is important to note at this point that one of the events that launches an ICMP is known as the “Time to Live” or TTL. This metric represents the maximum number of routers that a data packet can be sent through and is numerically decreased by a value of 1 each time the data packet is processed by a specific router. If for some reason the TTL value falls down to zero, the data packet is then dropped from the network flow and is reported back to the PDC.
Just because a data packet was dropped from the network flow because of a TTL, this does not mean that the data packet by itself is malformed in any way, or that there are any problems with router(s) that is (are) being used. The TTL was created in an effort to reduce backlogs in network traffic, and to make sure that the network flow remains consistent and efficient.
The next section examines the error messages generated by the ICMP in more detail.
The error messages reported by the ICMP
As can be seen from the above matrix, there are four primary error messages that are generated by the IMCP. These are:
- The Source Quench Error Message: This is a message generated by the source computer to curtail or decrease the flow of network traffic that is being sent to the destination computer. In other words, the PDC is detection that the rate of data packet transmission is too high and needs to slow down in order to ensure that the destination computer receives all of the data packets that is supposed to get
- The Parameter Problem Message: The checksum functionality was described in the last section. This is provided in order to provide some level of assurance to the network administrator that the ICMP has remained intact
- The Time Exceeded Error Message: This is the same as the Time to Live network-based event
- The Destination Unreachable Error Message: This message is generated when a data packet cannot reach its final destination for some reason another. For example, there could be hardware failures, port failures, network disconnections and more
- The Redirection Error Message: This is when the source computer (such as the PDC) requests that the flow of data packets be sent along another route than what was originally planned for. This is often done in order to optimize the network traffic, especially if there is a different way in which the data packets can reach their destination in a shorter period of time. This will mean updating the routing tables in the associated routers involved
The common applications of the ICMP
There are two common applications or utilities that the ICMP is used for:
- The Traceroute: This is a tool that is used by the network administrator in order to map out the potential path, or route, that the data packet can take. In this scenario, empty data packets are used to accomplish this task.For example, the initial data packet is assigned a TTL value of 0. When the first router receives this data packet, it will then be dropped, and a corresponding ICMP message will then be transmitted back to the source computer. This indicates the first router that will be used in formulating the path for the data packets to take. After the initial data packet is sent out and returned, the next data packet is then sent out with a TTL value of 1. Once the next router receives this particular data packet, it will decrease the value by -1 and it will be returned with another ICMP message, thus revealing the identity of the second router.This entire process keeps repeating itself by consistently adding a value of 1 and then decreasing it by -1 to each data packet that is sent, so that the map of the routers that will be used as to where the data packets will travel through can be computed. The primary disadvantage of using traceroute is that it can only be used to map out current and future paths for the data packets to take, it cannot be used to look at past paths that have been used by the data packets. The network administrator can also use the following command:
- -j: This allows you to choose the routers that you want to use when creating a map of the network flow for the data packets to take.
- The Ping: In this scenario, there are two types of ICMP messages that are used: Echo Request and Echo Reply. First, the echo request is sent out and then the echo reply is transmitted back. This application keeps track of the time between these two commands so that the network administrator will know will get the exact round-trip time for a particular data packet to reach its final destination and return back to the point of origination. It is interesting to note here that it’s Ping which can create a non-error-related ICMP message. You can invoke two commands in order to determine the shortest time that a data packet can take:
- -j: This command suggests a particular route
- -k: This command dictates a certain route
The security vulnerabilities of the ICMP
Despite the advantages that the ICMP offers, it is also prone to a number of key security vulnerabilities:
- The Ping Flood: This type of attack is very similar to that of a Distributed Denial of Service (DDoS) attack, but rather than using malformed data packets to flood the server in an effort to slow down its processes, it is flooded with ICMP echo requests
- The Ping of Death: This occurs when the cyberattacker sends out Ping requests that are too large (in terms of bytes). In this scenario, the datagram that is used to send out the Ping request becomes too oversaturated with “filler” information/data that has no relevant meaning. Because of this, it will be broken down into what is known as the Maximum Transmission Unit, or MTU. Once the router picks up these broken-down datagrams, it will then try to reassemble them again back into its original format before it is sent off to its final destination. But, if the reassembled datagram is larger than what the memory resources of the router can handle, it will literally jam up and become nonfunctional. As a result of this, the entire flow of the network traffic can be slowed down or come to a grinding halt
- The Twinge Attack: This is similar to the Ping Flood attack, but rather than the ICMP echo requests coming from just one computer, they are coming from multiple computers. They also have a fake source IP address in the header of the data packet
This article has defined what the ICMP is, provided a technical review into it and also examined the error messages and the tools that can be used with it. Finally, we explored some of the security vulnerabilities that are associated with the ICMP.
The ICMP will continue to be a powerful tool for the Network Administrator in order to diagnose network problems and other related issues. Check out this link for the various downloads that are available for the ICMP.