8/9/2019 ICMP Overview
1/55
8/9/2019 ICMP Overview
2/55
Introduction.i. ICMP Position.ii. ICMP Packets. Basic Functionality. Header Format. ICMP Functions. ICMP Message Classes.
Types of Messages. ICMP Applications- Ping, Trace route. Issues. Conclusion.
8/9/2019 ICMP Overview
3/55
Introduction
ICMP is an error reporting protocol.
ICMP is part of Internet protocol suite and isdefined in RFC 792.
It corrects the network problems as a whole butdoes not correct the individual packet problems.
8/9/2019 ICMP Overview
4/55
ICMP is a complementary protocol to IP thatresides on the network layer.
ICMP is a communication protocol between IP
protocol implementations on two connected
systems.
It provides feedback to sender on problems as
well as internet settings such subnet masks.
8/9/2019 ICMP Overview
5/55
8/9/2019 ICMP Overview
6/55
ICMP packets are sent in IP datagrams.
Two levels of encapsulation occur when an ICMP
message is transmitted across a physical network.
ICMP Header ICMP Data Area
IP Header IP Data Area
Frame Header Frame Area
8/9/2019 ICMP Overview
7/55
8/9/2019 ICMP Overview
8/55
Host A
But problem in Router R3
R3
IP Datagram
Host B
ICMPmessage
Host A
8/9/2019 ICMP Overview
9/55
ICMP has fixed headerof 4 bytes
- Type
Type of message
- Code
Subtype of message
- Checksum1s complement
computed over entireICMP message
- Checksum set to zero
8/9/2019 ICMP Overview
10/55
Announce Network Errors :
A kind of failure causes a host or the entire network to be
unreachable.
Announce Network Congestion :
Too many packets are buffered by the router, but it cannottransmit them at the same speed which causes network
congestions.
8/9/2019 ICMP Overview
11/55
Assist Troubleshooting :
ICMP supports an Echo function which sends a packet on a
roundtrip between two hosts
Announce Time outs:
If an IP packets TTL field drops to zero the
router discards that packet and generates ICMP
indicating this fact.
8/9/2019 ICMP Overview
12/55
Error Messages: These messages are used to provide feedback to a source device
about an error that has occurred. They are usually generated specifically in
response to some sort of action, usually the transmission of a datagram. Errors are
usually related to the structure or content of a datagram, or to problem situations
on the internetwork encountered during datagram routing.
Informational (or Query) Messages: These are messages that are used to let
devices exchange information, implement certain IP-related features, and perform
testing. They do not indicate errors and are typically not sent in response to a
regular datagram transmission. They are generated either when directed by an
application, or on a regular basis to provide information to other devices. An
informational ICMP message may also be sent in reply to another informational
ICMP message, since they often occur in request/reply or
solicitation/advertisement functional pairs.
8/9/2019 ICMP Overview
13/5513
ICMP Message TypesType Description ICMP Message Types
0 Echo Reply (Ping Reply, used with Type 8, Ping Request)
3 Destination Unreachable
4 Source Quench
5 Redirect
8 Echo Request (Ping Request, used with Type 0, Ping Reply)
9 Router Advertisement (Used with Type 9)
10 Router Solicitation (Used with Type 10)
11 Time Exceeded
12 Parameter Problem
13 Timestamp Request (Used with Type 14)
14 Timestamp Reply (Used with Type 13)
15 Information Request (obsolete) (Used with Type 16)
16 Information Reply (obsolete) (Used with Type 15)
17 Address Mask Request (Used with Type 17)
18 Address Mask Reply (Used with Type 18)
8/9/2019 ICMP Overview
14/55
14
The DESTINATION UNREACHABLE message is used when the subnet or a router
cannot locate the destination.
The TIME EXCEEDED message is sent when a packet is dropped because its counter
has reached zero. This event is symptom that packets are looping, that there is enormous
congestion, or that the timer values are being set too low.
The PARAMETER PROBLEM message indicates that an illegal value has been
detected in a header field. This problem indicates a bug in the sending hosts IP software
or possibly in the software of a router transited.
The SOURCE QUENCH message was formerly used to throttle hosts that were
sending too many packets. When a host received this message, it was expected to slowdown. It is rarely used any more when congestion occurs.
Message Types Contd.
8/9/2019 ICMP Overview
15/55
8/9/2019 ICMP Overview
16/55
8/9/2019 ICMP Overview
17/55
If a router finds that a network is congested,
router sends ICMP source quench message to thesource.
The source then sets the window size to minimum
after receiving this message.
8/9/2019 ICMP Overview
18/55
18
The REDIRECT MESSAGE is used when a router notices that a packet seems to be routed
wrong. It is used by the router to tell the sending host about the probable error.The ECHO and ECHO REPLY messages are used to see if a given destination is reachable and
alive. Upon receiving the ECHO message, the destination is expected to send an ECHO REPLY
message back.
The TIMESTAMP REQUEST and TIMESTAMP REPLY messages are similar, except that
the arrival time of the message and the departure time of the reply are recorded in the reply. Thisfacility is used to measure network performance.
Message Types Contd
8/9/2019 ICMP Overview
19/55
19
Code Definition
0 Net Unreachable
1 Host Unreachable
2 Protocol Unreachable
3 Port Unreachable
4 Fragmentation needed & Dont Fragment was set
5 Source Route failed
6 Destination Network Unknown
7 Destination Host Unknown
8 Source Host Isolated
9 Communication Destination Network is AdministrativelyProhibited
10 Communication Destination Host is Administratively Prohibited11 Destination Network Unreachable for Type of Service
12 Destination Host Unreachable for Type of Service
13 Communication Administratively Prohibited
14 Host Precedence Violation
15 Precedence Cutoff Violation
Destination Unreachable Codes
8/9/2019 ICMP Overview
20/55
20
Code Definition
0 Redirect Datagram for the Network (or subnet)
1 Redirect Datagram for the Host
2 Redirect Datagram for the Type of Service & Network
3 Redirect Datagram for the Type of Service & Host
Redirect Codes
8/9/2019 ICMP Overview
21/55
8/9/2019 ICMP Overview
22/55
Time Exceeded Codes
Code Definition
0 Time to Live Exceeded in Transit
1 Fragment Reassembly TimeExceeded
Parameter Problem Codes
Code Definition
0 Pointer Indicates theError
1 Missing a RequiredOption
2 Bad Length
8/9/2019 ICMP Overview
23/55
8/9/2019 ICMP Overview
24/55
ICMP-APPLICATIONS
The two important applications based on
ICMP are:
PING
Traceroute
8/9/2019 ICMP Overview
25/55
Ping:
A program for checking if host is aliveExists in most Operation Systems
Sends ICMP message of type Echo Request
Receiver answers with ICMP messages of type
Echo ReplyFormat:
Ping ip address.
Ping 192.161.72.1
8/9/2019 ICMP Overview
26/55
What Ping can tell you?
If packets have been dropped,duplicated or reordered.
Detects some forms of damagedpacket.
Round Trip Time (RTT): How long eachpacket exchange took.
Other ICMP messages.
8/9/2019 ICMP Overview
27/55
What a Ping cannot tell:
Ping cannot provide reasons whypackets go unanswered.
Ping cannot tell why a packet wasdamaged, duplicated or delayed.
Ping can not give you a blow-by-blowdescription of every host that handledthe packet and everything thathappened at every step of the way.
8/9/2019 ICMP Overview
28/55
Ping The PING utility is actually
an ICMP Echo process.
An ICMP Echo Request
packet consists of anEthernet header, IPheader, ICMP header,and some undefined
data.
This packet is sent to thetarget host, which echoesback that data, as shown
in Figure 4-1.
The ICMP echo request isa connectionless processwith no guarantee of
delivery.
8/9/2019 ICMP Overview
29/55
ICMPECHOREQUEST
ICMPECHO
REPLY
8/9/2019 ICMP Overview
30/55
EVENT FLOWDIAGRAM
8/9/2019 ICMP Overview
31/55
8/9/2019 ICMP Overview
32/55
8/9/2019 ICMP Overview
33/55
8/9/2019 ICMP Overview
34/55
8/9/2019 ICMP Overview
35/55
8/9/2019 ICMP Overview
36/55
8/9/2019 ICMP Overview
37/55
8/9/2019 ICMP Overview
38/55
TRACEROUTE:
Traceroute measures the number of hops requiredto reach a destination.
It sends an IP packet with Time To Live(TTL) set
to 1. When a router decrements the TTL to zero, it
discards the packet and sends an ICMP packet to
the source to inform it of the problem.
Repeats this with increasing number TTL values.
8/9/2019 ICMP Overview
39/55
8/9/2019 ICMP Overview
40/55
8/9/2019 ICMP Overview
41/55
8/9/2019 ICMP Overview
42/55
8/9/2019 ICMP Overview
43/55
8/9/2019 ICMP Overview
44/55
8/9/2019 ICMP Overview
45/55
8/9/2019 ICMP Overview
46/55
8/9/2019 ICMP Overview
47/55
Maximum Transmission Unit(MTU)
When a router receives a datagram, that is larger than theMTU of the network over which it is to be sent, the router
divides the datagram into smaller pieces called Fragments.
An IP datagram divided into three fragments. Each fragment
carries some data from the original datagram, and has an IP
header similar to the original datagram.
8/9/2019 ICMP Overview
48/55
MAXIMUM TRANSMISSION UNIT
Another application of ICMP is to determine the MTU
along a path.
Sending packets with the do not fragment flag will
cause a node to send an ICMP message back to thesource when a packet needs to be fragmented. This
ICMP message includes the maximum packet size
allowed at that point.
IP can adjust to sending packets that wont fragmentalong the way.
8/9/2019 ICMP Overview
49/55
Issues:
ICMP redirect messages can be used to trick routers andhosts acting as routers into using false'' routes; thesefalse routes would aid in directing traffic to an attacker'ssystem instead of a legitimate trusted system.
This could in turn lead to an attacker gaining access tosystems that normally would not permit connections tothe attacker's system or network.
Older versions of UNIX could drop all connectionsbetween two hosts even if only one connection wasexperiencing network problems.
S f D S Att k
8/9/2019 ICMP Overview
50/55
Smurf DoS Attack
Send ping request to broadcast addr (ICMP EchoReq)
Lots of responses:
Every host on target network generates a pingreply (ICMP Echo Reply) to victim
Ping reply stream can overload victim
gatewayDoS
Source
DoSTarget
1 ICMP Echo ReqSrc: Dos Target
Dest: brdct addr
3 ICMP Echo ReplyDest: Dos Target
8/9/2019 ICMP Overview
51/55
Disable IP-directed broadcasts at your leaf routers: to deny IP
broadcast traffic onto your network from other networks (in
particular from the Internet)
A forged source is required for the attack to succeed. Routers
must filter outgoing packets that contain source addresses not
belonging to local sub networks.
8/9/2019 ICMP Overview
52/55
ICMP is an error reporting and network
management system.
ICMP provides vital feedback about IP routing
and delivery problems
Although ICMP messages fall within various
well-documented types, and behave as a separate
protocol at the TCP/IP Network layer, ICMP isreally part and parcel of IP itself, and its support
is required in any standards-compliant IP
implementation
8/9/2019 ICMP Overview
53/55
QUESTIONS?
1. Where is ICMP placed in the OSI model?
Next to IP in the network layer
2. Can ICMP report error in ICMP messages itself?
No.
3. What are the two most important applications of ICMP?
PING
TraceRoute
4. What are the two message classes in ICMP?
Error messages
Information messages
8/9/2019 ICMP Overview
54/55
http://www.ietf.org/rfc/rfc792.txt http://www.softpanorama.org/Net/Internet_layer/icm
p.shtml
http://www.cs.princeton.edu/~mef/research/napt/reports/usenix98/presentation/sld008.htm
http://www.kbcafe.com/articles/HowTo.PING.pdf
http://en.wikipedia.org/wiki/ICMP
http://www.freesoft.org/CIE/Topics/81.htm
http://www.softpanorama.org/Net/Internet_layer/icmp.shtmlhttp://www.softpanorama.org/Net/Internet_layer/icmp.shtmlhttp://www.softpanorama.org/Net/Internet_layer/icmp.shtmlhttp://www.cs.princeton.edu/~mef/research/napt/reports/usenix98/presentation/sld008.htmhttp://www.cs.princeton.edu/~mef/research/napt/reports/usenix98/presentation/sld008.htmhttp://www.kbcafe.com/articles/HowTo.PING.pdfhttp://en.wikipedia.org/wiki/ICMPhttp://en.wikipedia.org/wiki/ICMPhttp://www.kbcafe.com/articles/HowTo.PING.pdfhttp://www.cs.princeton.edu/~mef/research/napt/reports/usenix98/presentation/sld008.htmhttp://www.cs.princeton.edu/~mef/research/napt/reports/usenix98/presentation/sld008.htmhttp://www.softpanorama.org/Net/Internet_layer/icmp.shtmlhttp://www.softpanorama.org/Net/Internet_layer/icmp.shtmlhttp://www.softpanorama.org/Net/Internet_layer/icmp.shtmlhttp://www.softpanorama.org/Net/Internet_layer/icmp.shtml8/9/2019 ICMP Overview
55/55
Thank You
Top Related