The role of ICMP and how to reply to a PING/ECHO request!

OSI: Securing the Stack, Layer 3 – The role of ICMP
Michael Gregg
Rating: -4.42- (out of 5)

Layer 3 of the OSI model is the network layer. While the data link layer provides node-to-node communication, the network layer provides routing and is the home of routable protocols; the best known is Internet protocol (IP). There are other services at the network layer, such as Internet Control Message Protocol (ICMP), which is the focus of this article.
ICMP was designed to act as a messenger for logical errors and diagnostics. It is addressed in detail in RFC 792. Any IP network device has the capability to send, receive, or process ICMP messages. The designers of ICMP never considered the security issues we must deal with today, but they did set some ground rules for ICMP to work efficiently.

To make sure that ICMP messages wouldn’t flood an IP network, ICMP is not given any special priority and is always treated as normal traffic.
ICMP messages cannot be sent in response to other ICMP messages. This design mechanism was intended to prevent situations where one error message creates another, and another, and another. That would be a real problem!
ICMP was not designed to be sent in response to multicast or broadcast traffic.
With some of the ground rules of ICMP out of the way, let’s turn our attention to the format of the ICMP header. ICMP is designed so that the header contains a type and code field. Common ICMP types include the following:

0 Echo Reply (Ping)
3 Destination Unreachable
4 Source Quench
5 Redirect Message
6 Alternate Host Address
8 Echo Request (Ping)
9 Router Advertisement
10 Router Solicitation
11 Time Exceeded

Together, the type and code fields can be used to determine the reason for the ICMP message. As an example, a type 3 is a destination unreachable. There are 16 unique codes for type 3 messages. The code identifies the specific reason why the destination is unreachable; this could include a problem with the network (a code 0), a router blocking the packet (a code 13), or even that the application is not running on the destination computer (a code 3). The most common ICMP message type is an 8/0, which is an echo request/reply (ping).

There are many network tools built around ICMP. Traceroute is an example of this. Traceroute works by sending sequentially numbered IP TTL packets while looking for ICMP TTL exceeded messages returned. By its very design, you can see that ICMP can be a very useful network tool. Unfortunately, it is also one of the most used and abused protocols. Now, let’s look at some of the ways ICMP is misused.

Abuse of ICMP

Earlier, I described ping as a basic connectivity tool. It’s widely used by hackers to verify connectivity before an attack. You cannot attack a system that isn’t up and running – and ping provides a perfect way to check that a system is alive. This has become so much of a problem that many networks now block incoming initiated pings. Although this is a good start, it does not completely eliminate the problem. An example of this can be seen in the covert tool Loki.

Released in 1996 in the underground magazine Phrak, Loki was a proof-of-concept tool. If installed on an internal computer, Loki can use ICMP to phone home to the hacker outside of the network. The administrator sees only outbound initiated ping traffic, but the attacker has in reality set up a covert channel. The ICMP protocol is being used for messaging. Blocking both inbound and outbound ICMP at the firewall will eliminate this problem.

Another ICMP-related problem is the potential of its use in a denial of Service (DoS) attack. An example of this can be seen in Smurf. Smurf uses ping packets to abuse ICMP. It sends malformed ICMP packets. It alters the destination address so that the packet is sent to the broadcast address of a network node. The source address has been altered to be pointed to the victim of the attack. On a large network, many systems will reply to this broadcast ping. The attack results in the victim being flooded with a stream of ping responses so that legitimate access is blocked. A similar type of attack was launched against core DNS servers in 2002. Administrators can prevent their networks from being used to bounce Smurf traffic by adding the following command in their Cisco routers:
no ip directed-broadcast.

ICMP can also be used to aid in port scanning and in OS identification. This is also called fingerprinting. It’s a required step of the attack process. After all, an attacker cannot target a system successfully without knowing what it’s running. As an example, the attacker may have an exploit against Windows XP, yet this exploit would be worthless against a Windows 2003 system. Fingerprinting is used to identify the OS. When fingerprinting is attempted, the attacker will use a scanning tool to send a series of normal, unusual and then malformed ICMP queries to the targeted system. The scanning tool then observes the responses and compares them to a database.

ICMP was designed for a more trusting world. With all of the functionality ICMP was designed to provide, it would be nice if it could pass freely in and out of the network. This is not the case, however. If your goal is to make the network more secure, ICMP needs to be blocked and disabled at key network access points as much as possible. Your choice will be to drop or reject traffic. The decision is yours. From a security perspective, dropping packets gives away less information and makes it harder for an attacker to gather information. Rejecting packets allows services to know that something has failed and time out quickly, yet leaves the network more vulnerable. With these facts in mind, it is the author’s opinion that dropping ICMP is the preferred option.

About the author:
Michael Gregg has been involved in IT and network security for more than 15 years. He is the founder and CTO of Superior Solutions Inc., a risk-assessment and security consulting firm. He has developed high-level security classes and written six books; the most recent is Hack the Stack: The Eight Layers of an Insecure Network.

Source : What is Network layer? | Definition from TechTarget

In this article it’s the other way around…

There is two ways to reply at a ping / echo request : deny or drop. I’m wandering how to configure Comodo Firewall to accomplish those two ways…

I understood that it’s better to drop than to deny because denying confirm that you are online (since there is an answer)!

Are rules bellow correct for both scenarios?

Deny :

Disallow ICMP PING/ECHO In Any Any Any
Disallow ICMP PING/ECHO Out Any Any Any

Drop :

Allow ICMP PING/ECHO In Any Any Any
Disallow ICMP PING/ECHO Out Any Any Any

Hehe, :smiley:

I don’t think that you need to do any modification. If I am not mistaken CFW should be dropping the unwanted packets and not denying them. (:NRD)

ps. But I’m not 100% sure. Only Egemen or another member of the development team can help us on this issue.

In default rules there is : Allow ICMP Out Any Any where ICMP message is echo request

it looks like the opposite of a drop or deny…

or maybe it is when WE ask for a ping so we can have an answer… right?
and answers to a ping request from someone will be dropped or denied? right?

Dropping can also indicate you’re online if you are behind a router, as the router would have been recorded as one hop in the transmission to the destination IP. As the router didn’t deny or drop, something behind the router did, so therefore they know that something is behind the router, most probably a software firewall configured to drop.

Deny :

Disallow ICMP PING/ECHO In Any Any Any
Disallow ICMP PING/ECHO Out Any Any Any

The first rule will stop anyone outside pinging you and the second will stop you from pinging anyone else.

Drop :

Allow ICMP PING/ECHO In Any Any Any
Disallow ICMP PING/ECHO Out Any Any Any

This set of rules will allow anyone outside to ping you AND IT ALLOWS YOU TO SEND A RESPONSE BECAUSE YOU HAVE ALLOWED AN INCOMING REQUEST. The second rule merely stops you from initiating an outbound ICMP request.

I’m pretty sure my interpretations are correct. Can anyone else confirm these?

Ewen :slight_smile:

@panic: pretty much correct imho.

  • the god of icmp (:KWL)

My suggestions:
Drop ICMP inbound any any. Period!

Why reply to something you don’t need to, and broaden the attack vector further? There’s no point in allowing Smurf attacks to achieve their goals :slight_smile:

In what way do you broaden the attack vector?
Can a attacker use the ICMP itself, to get in to your computer? Or just know that someone is there?

Logic say’s to me that if my PC respond with a port/host unreachable, then the attacker think’s that no one is there, or maybe offline.

If he doesn’t get any reply at all, he knows for sure that someone is there, protected by a firewall. So logically, that’s where he is going to try to get pass your firewall, or moveon to find an unprotected PC.

Am i thinking completely wrong here?

If you drop inbound Echo request, ICMP will return a ICMP Time Exceeded which tells the initiator 1. that the host is down, 2. is behind a firewall or 3. never had that IP address to begin with. Unless the initiator (or attacker) has detailed information about yout LAN setup, option 3 is the most likely one. Most firewall has the ICMP “unreachable” reply only as a connectivity function. To tell the nearest router if the network behind the firewall can be reached or not. It will always deny inbound Echo Request and in most cases Echo Reply aswell. Firewalls themselves (if a separate device/server) will never reply to Ping unless configured to do so.

Thats why I suggest dropping inbound ICMP and use Hide-NAT. It will not stop Spyware, rootkits or malicious code. But it will stop most scriptkiddies and wannabe h4xx0rz. Not to mention annoy you less and keep your Internet experience a happy one :slight_smile:

By broadening the attack vector, I mean using smurf attacks. A smurf attack, is a denial-of-service attack which uses spoofed broadcast pings to flood a target system. Thus making ICMP another tool to further widen the attack vector. Most firewalls today recognizes this and will prevent it. I just wanted to mention it to explain my point.

Hope I didn’t ramble on too much and that I made some sense :slight_smile: