IP Behavior III Internet Control Message Protocol (ICMP)

Trang 1

IP Behavior III

Internet Control Message Protocol

(ICMP)

Hi - I am Judy Novak from the Computer Security and Incident Response Team at a military site I am

a senior security analyst and a contractor for Jacob and Sundstrom, Inc Once again, Stephen Northcutt has asked me to create another webcast to explain the workings of the Internet Control Message Protocol, better known as ICMP Once again, I’d like to thank Bill Ralph of the NSWC Shadow team for his insightful editing of this webcast

ICMP is a vital part of IP and I hope to explain the role it plays in delivering messages about error conditions it finds as well as the role in plays in delivering simple requests and replies It is important for the student to understand how this protocol is used for both its intended purpose as well as for malicious purposes ICMP in its pure state is supposed to be a relatively simple and chaste protocol, however it has been altered to act as a conduit for evil purposes

Some of the theory that the student will learn from this webcast is where ICMP fits in with other protocols such as IP, TCP, and UDP The student will also learn to understand the difference in ICMP from the other protocols We will follow a familiar format we’ve seen in many of the other IP behavior webcasts of looking at the conventional ICMP traffic as well as examining how ICMP can be used for nefarious activity

Trang 2

Objectives

• Discuss why ICMP is needed, where it fits in, and

how it is different from the other protocols

– Explain the theory for the above topics

• Examine how ICMP is used to map networks

– Show examples using tcpdump output

• Examine classic ICMP activity

• Examine malicious ICMP activity

As the slide “Objectives” describes, we will cover several aspects of ICMP traffic ICMP has a

special place among the protocols; it is unlike TCP and UDP, yet still uses IP as its network protocol We’ll see exactly where ICMP fits in among the other protocols and the function that it serves

We’ll take a look at how ICMP is used to map a given network, often as part of the reconnaissance phase to prepare for some kind of additional activity such as a scan Next, we’ll examine the

expected behavior that ICMP exhibits, and finally, we’ll look at the many ways that ICMP has been mutated and tainted to perform activity that it never was meant to perform

Once armed with the insight gained from this class, you should be able to examine ICMP traffic and determine if it is expected or deviant behavior

Trang 3

ICMP Theory

In the section “ICMP Theory”, we attempt to understand the need for ICMP, how it compares with

other protocols and how it supports other protocols We learn that ICMP has a unique purpose and a unique method of communication

Trang 4

Why do we need ICMP?

• A way to issue simple requests

• A way to inform of error conditions

port unreachable

icmp echo request icmp echo reply

Turning to slide “Why do we need ICMP?” we examine the role that ICMP occupies among the

other protocols As you’ll recall TCP was a connection-oriented protocol with lots of overhead involved in assuring reliable delivery UDP is a connectionless protocol that doesn’t promise reliable delivery, but requires a server port with which a client can communicate

A simple request such as determining whether a host is alive, commonly known as ping doesn’t need ports to communicate and doesn’t require reliable delivery This request and several more use ICMP

to deliver and respond to such traffic

Also, what if some kind of error condition is discovered by a router or a host and it needs to inform a sending source host of the problem? Because TCP is a more robust protocol, it handles some error conditions such as a non-listening port by sending back a TCP response with the TCP flags of RESET/ACK set Also, if a TCP client or server receives too much information, it has a mechanism

to close down the receiving buffer by giving a window size of 0 This says that the receiving host cannot accept any more data until the current buffered data is processed

But, UDP and IP aren’t robust enough to communicate error conditions So, that is where ICMP comes in; it provides a simple means of communicating between hosts or a router and a host to alert

Trang 5

Where does ICMP fit in?

• TCP/IP internet layering model

Application

Internet Network Interface

Transport

IP

TCP and UDP

ICMP

Slide “Where does ICMP fit in?” attempts to place ICMP’s place in the TCP/IP internet layering

model This is one model’s representation of the different layers that form data and pass the data between hosts

Starting at the top, we have the high level application layer activity that might represent a TCP/IP application such as telnet Next, we have the transport layer with such protocols as TCP and UDP that provide the end to end communication between hosts Beneath that is the internet layer that is responsible for getting the datagram from source to destination Finally, there is the network interface layer that transmits the datagrams over the network

What we see is that ICMP is in the same network layer as IP ICMP is encapsulated in the IP datagram after the IP header

Trang 6

ICMP versus other protocols

• No port numbers

• No notion of client/server

• No promise of reliable delivery

• Sometimes no response expected

• Can be broadcast

x x x x

Moving ahead to slide “ICMP versus other protocols”, we see that ICMP is different than TCP and

UDP in other ways The first is that ICMP has no port numbers as are found in the transport layer protocols The closest thing that ICMP has to a differentiation in services is an ICMP message type and code, the first two bytes in the ICMP header These tell the function of the particular ICMP message

Next, there is really no such thing as a client and server In fact, when ICMP error messages are delivered, the receiving host may respond internally, but may not communicate anything back to the informer And, ICMP gives no guarantees about the delivery of a message

One of the unusual traits about ICMP is that “services” do not have to be activated or listening Just about every operating system is capable or responding to an ICMP echo request (ping) The hard part

is turning it off Some intrusion detection systems have echo reply disabled so that they can remain as anonymous and undetectable as possible

Another trait about ICMP is that it supports broadcast traffic TCP required an exclusive client-server relationship, but ICMP isn’t nearly as territorial We’ll see where this flexibility in ICMP’s ability to

Trang 7

ICMP source quench

Looking at slide “ICMP speakers” we try to make the point that ICMP is a protocol that IP speaking

hosts possess and use A host will use ICMP for simple replies and requests and it will use ICMP to inform another host of some kind of error condition

In this slide, we see that the receiving host is having a problem keeping up with the traffic that the sending host is delivering to it One of the ways that a host can inform a sending host to throttle down the delivery rate is the send it an ICMP source quench message

Trang 8

in my network!!!

ICMP admin prohibited

Slide “ICMP speakers(s)” explains that ICMP is used as a mechanism by routers to inform a sending

host of some kind of problem In the above slide, you see a router responding to a sending host with an ICMP admin prohibited message What this means is that the sending host attempted to send some kind of traffic that was forbidden by an access control list statement through the router

In a situation such as this, you would expect the router to be the sender of the message since it is the one forbidding the activity However, a router might also intervene to inform a sending host about a condition when a destination host is incapable of responding For instance, if the destination host is unreachable, obviously the destination host is incapable of responding So, in a situation such as this, the router may reply instead

Some times the act of a host or a router responding to an error condition may not be too wise While the router was trying to be helpful in the above slide by informing the sending host of a problem, it is also providing information that may be used for reconnaissance purposes The sender may then glean some knowledge about the type of activity that the router is blocking or whether a host exists Some sites “silence” the router as much as possible to preclude the dissemination of unnecessary information

Trang 9

ICMP listeners

• One host can speak to another host

Hello! Are you alive?

ICMP echo request

Slide “ICMP listeners” makes a simple, perhaps obvious point that ICMP communication can be

done between two hosts that converse using IP This is nothing unusual because that is how we see traffic from TCP, and UDP is usually transacted between two hosts

The ability to converse in ICMP is part of the operating system for Unix hosts And because the notion of ports or services doesn’t apply, a host can listen for all ICMP traffic directed to it

Trang 10

ICMP listeners (2)

• One host can speak to many hosts

Is anyone

on the network alive?

ICMP echo request to broadcast address

sending host receiving router

Advancing to slide “ICMP listeners(2)” we contrast the two-way communication of ICMP with that

of broadcast ICMP traffic In this instance, we observe a sending host delivering an ICMP echo request to the broadcast address Now, if the router to which the activity is directed allows such inbound activity, all active hosts on the network will receive the ICMP echo request and respond with an ICMP echo reply

So, as you can see, this is a good way to map a given network or overload a network And, as we also see, as activity on the Internet becomes less friendly, allowing such traffic through the router or some kind of packet filtering device is not such a good idea We’ll examine how ICMP broadcast activity allowed in your network can be used as a denial of service against another network

Trang 11

ICMP theory review

• Method for conveying error messages to IP

• Protocol unique because:

– No port numbers

– No perceived client/server

– No reliable delivery guaranteed

– Capable of being broadcast

• Just about all hosts listen and respond to ICMP

Let’s quickly summarize what we’ve learned in this short section by turning to slide “ICMP theory review” We learned that ICMP is a means of delivering error messages between hosts It is

encapsulated in an IP header, but is considered part of the IP or internet layer

ICMP is a unique protocol because it doesn’t use ports to communicate like the transport protocols

do ICMP messages can get lost and not be delivered ICMP messages are never used to deliver an error about other ICMP messages because that might cause some kind of perpetual loop of reporting And, ICMP can be broadcast to many hosts since there is no sense of an exclusive connection.Finally, we see where hosts and routers are the senders of ICMP messages And, we learned that hosts listen for ICMP and most will respond unless they deliberately have been altered for silence

Trang 12

Mapping

In the section “Mapping”, we’ll show some of the mapping techniques using ICMP Mapping is an

important part of a planned attack since reconnaissance is typically the first step of most attacks Mapping attempts to discover the IP numbers of live hosts in a network Once found, any attack can be directed at the live hosts only

If mapping is not done and a malicious user or program attacks a network it can be very noisy and not very productive We saw this very recently in the RingZero trojan that infected Windows hosts After they were infected, they would scan hosts to find open proxy ports One of the shortcomings of this scanning activity was that it appeared to hit random hosts on a given network In so doing, many IP addresses that were not active were scanned along with the active ones So, this was a very noisy scan and had to do a lot of work to receive any valuable feedback This would have been a more directed and perhaps more informative scan, had the IP numbers that were scanned been live hosts

You should know that since sending ICMP echo requests is one of the most common mapping

techniques, many networks will block incoming ICMP echo requests This has motivated the hacker world to invent other scanning methods using other protocols

Trang 13

Tireless mapper

00:12:45.830000 scanner.net > 192.168.117.63: icmp: echo request

Slide “Tireless mapper” shows the classic mapping technique of sending individual ICMP echo

requests to all hosts in a given subnet In this case, the 192.168.117 class C subnet is scanned for all live hosts As you can see, this is also a very noisy scan

But, if a site doesn’t look for ICMP activity or doesn’t look for generic scan activity by examining traffic for a one source IP to many destination host pattern, this may go unnoticed So, the

philosophical question is - if a hostile party maps your entire network and no one is listening, does it make any noise?

Trang 14

Efficient mapper

Moving to slide “Efficient mapper”, we see a more succinct way to attempt mapping a network

Since ICMP can send a message to multiple hosts, we can attempt to send an ICMP echo request to a broadcast address, and if the activity is allowed, all active hosts within the particular broadcast subnet may potentially reply

You see that in the above scan, it appears that the scanner is attempting to map the 192.168 subnet We see the third octet in the IP number changing from 65 to 69 in this excerpt from a larger scan We see the final octet fluctuate between 0 and 255 The 255 in the final octet is the classic broadcast address The 0 in the final octet is a broadcast address for hosts that have a TCP/IP stack based on the Unix BSD operating system Hosts with this type of TCP/IP stack may respond to the ICMP echo request directed

to the 0 broadcast address

Some of the later versions of Windows will not respond to a broadcast ICMP echo request

As you can see, for a network defending against this type of activity, it is wise to disallow any activity, regardless if it is ICMP or, to the broadcast addresses

Trang 15

Clever mapper

Now, if you turn to the next slide “Clever mapper”, we see a new variation on an old mapping scheme

Look at the scanning pattern; what you see is that echo requests are being sent to the class C subnet of 192.168.21 Now, examine the final octet of the IP address We see the first request is sent to the 0 broadcast address and the last one is sent to the 255 broadcast address

If you look at the final octet of the other IP numbers, you’ll see that they seem to span 64 IP numbers For instance, the first IP number has a final octet of 0 and the following one has a final octet of 63, so that is 64 total IP addresses What is the significance of the 64? Well, a typical class C subnet has 256 addresses between the 0 and 255 host numbers

It is possible to subdivide a class C network so that you have multiple smaller networks One way to do this would be to have 4 individually addressable subnets with 64 hosts each In this scheme, the network and broadcast addresses change accordingly The network and broadcast addresses for those 4 subnets are the IP numbers that you see in the scan So, it turns out that someone believes that we may have a different addressing scheme and is attempting to scan accordingly If this were the addressing scheme for the 192.168.21 subnet, all live hosts might respond

Trang 16

Our final mapping example shown on slide “Cerebral mapper” shows a different mapping

technique using another ICMP request type The ICMP address mask request queries a host for the subnet mask of the network on which it resides So, remember all the trouble that the previous scanner went through to try to determine the addressing scheme? Well, that could have been avoided using the ICMP address mask request seen here

This is not a classic mapping per se, however it may provide some initial reconnaissance If a scanner can determine a subnet mask of a network, he then knows exactly how many hosts need to

be scanned While the subnet mask of an IP can usually be determined from looking at the first octet

of the IP number, this request may determine the subnet mask for networks that have been

subdivided That type of knowledge cannot be obtained by looking at the IP number This is another service that should be disallowed into the network for obvious reasons

This ICMP request may not elicit a response from all hosts Routers should respond, some modem servers will, and some Solaris hosts will also respond

Trang 17

Mapping review

• Used for initial reconnaissance

• ICMP echo requests to:

– Individual hosts

– Multiple hosts via classic broadcast addresses

– Multiple hosts via subdivided broadcast addresses

• ICMP address mask request to discover subnet mask

We conclude this section with the “Mapping review” We examined different mapping techniques

in this section that are mostly used for beginning reconnaissance efforts

The different mapping techniques all used ICMP to attempt to find live hosts or discover addressing schemes The ICMP echo request can be used to look for individual live hosts; or it can be sent to a broadcast address to look for all live hosts on a subnet We saw another ICMP request, the address mask request, that can attempt to learn the subnet mask for a given network

Trang 18

– Fragmentation required, DF flag set– Time exceeded

– Reassembly time exceeded

In section “Normal ICMP”, we’ll examine some of the expected uses of ICMP We’ll first examine

another ICMP request, the timestamp request Then we’ll look at several different error messages that ICMP sends to inform a sending host of some kind of problem situation

Trang 19

The next slide “Timestamp request/reply” displays another ICMP request This one is a request by

one host to another host to return its current time of day This may be used if two communicating hosts need to have their clocks synchronized There are additional ways to do time synchronization such as using the network time protocol (ntp) where hosts synchronize their clocks with that of a ntp server that has a very accurate clock

The sending ICMP time request includes the senders timestamp, and it is returned with the time that the destination host received the request, and a third field contains the time that the destination host returned the request Using these three fields, hosts can compute the round-trip time, however this is not considered to be a very accurate measurement due to unexpected and immeasurable network latency

Trang 20

Host unreachable

router > sending.host: icmp: host target.host unreachable

traffic for target host target host unreachable

router

target host

sending

host

We now turn to slide “Host unreachable” In this scenario, we observe a sending host attempting to

send traffic to a target host For some reason the host is unreachable, perhaps no host resides at the requested IP address, perhaps it is temporarily unavailable, or perhaps it is suffering from some kind

of misconfiguration that prevents it from responding

In a situation such as this, the host obviously cannot send an error message so the router that oversees the target host’s network intervenes to deliver the message In this case, it informs the sending host that the target host is unreachable As you can probably guess, this may give a scanner valuable information that he can use to help him map the network It is possible that the host truly doesn’t exist, but it is also possible that the host is temporarily turned off or out of commission The valuable reconnaissance information that can be gleaned from many of the ICMP unreachable commands can

be detrimental to the security of a given network Cisco router access control lists have a statement that can silence the router from issuing the ICMP unreachable messages “no ip unreachables”

Trang 21

Next, look at the slide “Port unreachable” to examine how a target host informs a sending host that a

requested UDP port is not listening In this case, the sending host attempted to send traffic to the target host on UDP ntp which is port 123

So, the protocol used to deliver the error message is ICMP Remember, when we examined TCP, it had a different way of informing a sending host that a port was not active It returned a TCP segment with the RESET/ACK flags set to indicate that the port was not listening UDP has no built-in mechanism to report about this error and so enlists ICMP to assist

Trang 22

Admin prohibited

router > sending.host: icmp: host

target.host unreachable - admin prohibited

target host

router

send traffic to target host

access denied sending

host

We look at another possible problem situation in slide “Admin prohibited” In this scenario, we have

a sending host that attempts to send traffic to a target host We have a router at the gateway of the target host network

The router has an access control list that prohibits certain types of traffic from entering the network This could be a port that is blocked, a protocol that is blocked, or possibly the source IP or subnet that

is denied access A router may respond to this condition with an ICMP unreachable - admin

prohibited message

In the diagram above, we see that the sending host is denied access to the target host We don’t see any feedback about the reason for the denial in the ICMP message that is displayed However, embedded in some ICMP messages such as this, there will be the original IP header and at least 8 bytes of the protocol that generated this response

Trang 23

Redirect

non-optimum

router

misguided sending host

target host

optimum router

send datagram to target host use optimum router next time

datagram delivered to target host

non-optimum.router > sending.host : icmp: redirect target.host to net

optimum.router

The ICMP “Redirect” message discussed on the next slide allows a router to tell a sending host that

it is not the optimum router to be used for sending the traffic to the desired destination The optimum router forwards the traffic to the destination, but informs the sending host to change its routing table so that a more optimum router is chosen the next time traffic is sent to the same destination host

non-In the case of the above slide, we have a misguided sending host attempting to send traffic to the target host It routes the traffic through the non-optimum router that forwards the traffic However,

it issues an ICMP redirect to the misguided sending host to use the optimum router the next time.The optimum router has to be on the same subnet as the sending host Also, the router that sends the redirect must be on the same subnet as the original sender

Trang 24

Fragmentation required, DF flag set

sending

send datagram to target host,

DF flag set

FDDI, MTU = 4352 Ethernet, MTU = 1500 fragmentation required, DF flag set

router > sending.host: icmp: target.host unreachable - need

to frag (mtu 1500)

Moving to slide “Fragmentation required, DF flag set”, we discuss another ICMP message You

may remember seeing or discussing the DF designation from tcpdump in other IP behavior webcasts This means the don’t fragment flag is set As the name implies, if this flag is set, fragmentation will not be done on the datagram If this flag is set and the datagram crosses a network where

fragmentation is required, the router will discover this, discard the datagram and send an ICMP error message back to the sending host

The ICMP error message will contain the MTU of the network that required fragmentation Some hosts intentionally send an initial datagram across the network with the DF flag set as a way to discover the MTU for a particular source to destination path If the ICMP error message is returned with the smallest MTU, the host will then package all datagrams bound for that destination in small enough chunks to avoid fragmentation

Trang 25

Time exceeded in-transit

routerx > sending host: icmp: time exceeded in-transit[tos 0xc0]

too many hops taken

Let’s look at the “Time exceeded” ICMP message on the next slide TCP/IP needs a way to flush

from the Internet a lost datagram, perhaps one that is in some kind of routing loop where it is bouncing aimlessly among routers The means used to prevent wayward datagram activity involves a field in the IP header know as the time to live (ttl) value So it's not really a time at all - it is a count of "hops

to live" before being discarded

Different operating systems set different initial ttl values When a datagram traverses a router on its travel from the source to destination, each router will decrement the ttl value by 1 If the value ever becomes 0, the router will discard the datagram and send an ICMP time exceeded in-transit message back to the sending host

Tiêu đề	IP Behavior III Internet Control Message Protocol (ICMP)
Người hướng dẫn	Bill Ralph of the NSWC Shadow team
Trường học	University Name
Chuyên ngành	Computer Security
Thể loại	lecture
Năm xuất bản	2001
Thành phố	Unknown

Định dạng
Số trang	51
Dung lượng	0,94 MB