Block bad ICMP messages (ICMP Smurf, Ping of Death, ICMP Flood Attacks, ICMP Nuke Attacks)

Takeaway: The ICMP protocol facilitates the use of important administrator utilities such as ping and traceroute, but it can also be manipulated by hackers to get a snapshot of your network. Learn what ICMP traffic to filter and what to allow.


This article originally appeared in the Security Solutions e-newsletter.

Although most network administrators do a fairly good job of filtering TCP and UDP traffic, many forget to filter ICMP traffic. ICMP traffic is necessary for troubleshooting TCP/IP and for managing its flow and proper function. However, ICMP is also dangerous. Hackers can use it to map and attack networks, so it needs to be restricted.

Like TCP and UDP, ICMP is a protocol within TCP/IP that runs over IP. Unlike TCP and UDP, ICMP is a Network Layer protocol and not a Transport Layer protocol. For more information on ICMP, see its request for comments (RFC) on the IETF's Web site.

Bad ICMP
Some ICMP message types are necessary for network administration. Unfortunately, hackers have found a way to turn a good network tool into an attack. The most common types of ICMP attacks are:
 
  • ICMP packet magnification (or ICMP Smurf): An attacker sends forged ICMP echo packets to vulnerable networks' broadcast addresses. All the systems on those networks send ICMP echo replies to the victim, consuming the target system's available bandwidth and creating a denial of service (DoS) to legitimate traffic.
  • Ping of death: An attacker sends an ICMP echo request packet that's larger than the maximum IP packet size. Since the received ICMP echo request packet is larger than the normal IP packet size, it's fragmented. The target can't reassemble the packets, so the OS crashes or reboots.
  • ICMP flood attack: A broadcast storm of pings overwhelms the target system so it can't respond to legitimate traffic.
  • ICMP nuke attack: Nukes send a packet of information that the target OS can't handle, which causes the system to crash.

Good ICMP
Several common tools that use ICMP are necessary for normal administration, management, and troubleshooting on your network. These tools include ping, traceroute, and path Maximum Transmit Unit (MTU) discovery.

Ping
When you ping a destination network address, you're sending an ICMP packet with message type 8 (Echo) code 0 (Echo--Request) to that address. The ICMP reply packet has a message type 0 (Echo) code 0 (Echo--Reply).

Traceroute
When you run a traceroute to a target network address, you send a UDP packet with one time to live (TTL) to the target address. The first router this packet hits decreases the TTL to 0 and rejects the packet. Now the TTL for the packet is expired. The router sends back an ICMP message type 11 (Exceeded) code 0 (TTL--Exceeded) packet to your system with a source address. Your system displays the round-trip time for that first hop and sends out the next UDP packet with a TTL of 2.

This process continues until you receive an ICMP message type 3 (Unreachable) code 3 (Port--Unreachable) from the destination system. Traceroute is completed when your machine receives a Port-Unreachable message.

If you receive a message with three asterisks [* * *] during the traceroute, a router in the path doesn't return ICMP messages. Traceroute will continue to send UDP packets until the destination is reached or the maximum number of hops is exceeded.

Path MTU discovery
When you begin a TCP/IP session between two machines, TCP/IP tries to negotiate the size of packets that can be sent during the session. This is called path MTU discovery. The machine that initiates the connection will send the largest packet it can with the Don't Fragment (DF) bit set.

If any router in the path has a smaller MTU, it will drop the packet with the DF bit set. That router will send an ICMP message type 3 (Unreachable) code 4 (Fragmentation--DF--Set) back to the initiating system. On the initiating system, TCP/IP will decrease the packet size and resend the packet.

The bottom line
Without getting into vendor specifics, disable IP-directed broadcasts to all of your routers to keep your network healthy. Letting traceroute, ping, or any of the other ICMP messages into and through your network from the Internet is an invitation for network mapping, and it could lead to an attack.

You can protect your network from attack by implementing three simple network rules:
 
  • Allow ping—CMP Echo-Request outbound and Echo-Reply messages inbound.
  • Allow traceroute—TTL-Exceeded and Port-Unreachable messages inbound.
  • Allow path MTU—ICMP Fragmentation-DF-Set messages inbound.

Don't let poor configuration lead to hacker probing and attacks that are easily blocked. Applying these three rules and blocking other types of ICMP traffic can provide a lot of network security with minimal effort.