5 - 1 IP Behavior III – SANS GIAC LevelTwo - ©2000, 2001 1 IP Behavior III Internet Control Message Protocol (ICMP) Hi - I am Judy Novak from the Computer Security and Incident Response Team at a military site. I am a senior security analyst and a contractor for Jacob and Sundstrom, Inc. Once again, Stephen Northcutt has asked me to create another webcast to explain the workings of the Internet Control Message Protocol, better known as ICMP. Once again, I’d like to thank Bill Ralph of the NSWC Shadow team for his insightful editing of this webcast. ICMP is a vital part of IP and I hope to explain the role it plays in delivering messages about error conditions it finds as well as the role in plays in delivering simple requests and replies. It is important for the student to understand how this protocol is used for both its intended purpose as well as for malicious purposes. ICMP in its pure state is supposed to be a relatively simple and chaste protocol, however it has been altered to act as a conduit for evil purposes. Some of the theory that the student will learn from this webcast is where ICMP fits in with other protocols such as IP, TCP, and UDP. The student will also learn to understand the difference in ICMP from the other protocols. We will follow a familiar format we’ve seen in many of the other IP behavior webcasts of looking at the conventional ICMP traffic as well as examining how ICMP can be used for nefarious activity. With an understanding of ICMP, the student will be able to examine ICMP network traffic and determine the nature of it. 5 - 2 IP Behavior III – SANS GIAC LevelTwo - ©2000, 2001 2 Objectives • Discuss why ICMP is needed, where it fits in, and how it is different from the other protocols – Explain the theory for the above topics • Examine how ICMP is used to map networks – Show examples using tcpdump output • Examine classic ICMP activity – Show examples using tcpdump output • Examine malicious ICMP activity – Show examples using tcpdump output As the slide “Objectives” describes, we will cover several aspects of ICMP traffic. ICMP has a special place among the protocols; it is unlike TCP and UDP, yet still uses IP as its network protocol. We’ll see exactly where ICMP fits in among the other protocols and the function that it serves. We’ll take a look at how ICMP is used to map a given network, often as part of the reconnaissance phase to prepare for some kind of additional activity such as a scan. Next, we’ll examine the expected behavior that ICMP exhibits, and finally, we’ll look at the many ways that ICMP has been mutated and tainted to perform activity that it never was meant to perform. Once armed with the insight gained from this class, you should be able to examine ICMP traffic and determine if it is expected or deviant behavior. 5 - 3 IP Behavior III – SANS GIAC LevelTwo - ©2000, 2001 3 ICMP Theory In the section “ICMP Theory”, we attempt to understand the need for ICMP, how it compares with other protocols and how it supports other protocols. We learn that ICMP has a unique purpose and a unique method of communication. 5 - 4 IP Behavior III – SANS GIAC LevelTwo - ©2000, 2001 4 Why do we need ICMP? • A way to issue simple requests • A way to inform of error conditions port unreachable icmp echo request icmp echo reply Turning to slide “Why do we need ICMP?” we examine the role that ICMP occupies among the other protocols. As you’ll recall TCP was a connection-oriented protocol with lots of overhead involved in assuring reliable delivery. UDP is a connectionless protocol that doesn’t promise reliable delivery, but requires a server port with which a client can communicate. A simple request such as determining whether a host is alive, commonly known as ping doesn’t need ports to communicate and doesn’t require reliable delivery. This request and several more use ICMP to deliver and respond to such traffic. Also, what if some kind of error condition is discovered by a router or a host and it needs to inform a sending source host of the problem? Because TCP is a more robust protocol, it handles some error conditions such as a non-listening port by sending back a TCP response with the TCP flags of RESET/ACK set. Also, if a TCP client or server receives too much information, it has a mechanism to close down the receiving buffer by giving a window size of 0. This says that the receiving host cannot accept any more data until the current buffered data is processed. But, UDP and IP aren’t robust enough to communicate error conditions. So, that is where ICMP comes in; it provides a simple means of communicating between hosts or a router and a host to alert of some kind of problem situation. 5 - 5 IP Behavior III – SANS GIAC LevelTwo - ©2000, 2001 5 Where does ICMP fit in? • TCP/IP internet layering model Application Internet Network Interface Transport IP TCP and UDP ICMP Slide “Where does ICMP fit in?” attempts to place ICMP’s place in the TCP/IP internet layering model. This is one model’s representation of the different layers that form data and pass the data between hosts. Starting at the top, we have the high level application layer activity that might represent a TCP/IP application such as telnet. Next, we have the transport layer with such protocols as TCP and UDP that provide the end to end communication between hosts. Beneath that is the internet layer that is responsible for getting the datagram from source to destination. Finally, there is the network interface layer that transmits the datagrams over the network. What we see is that ICMP is in the same network layer as IP. ICMP is encapsulated in the IP datagram after the IP header. 5 - 6 IP Behavior III – SANS GIAC LevelTwo - ©2000, 2001 6 ICMP versus other protocols • No port numbers • No notion of client/server • No promise of reliable delivery • Sometimes no response expected • Can be broadcast x x x x Moving ahead to slide “ICMP versus other protocols”, we see that ICMP is different than TCP and UDP in other ways. The first is that ICMP has no port numbers as are found in the transport layer protocols. The closest thing that ICMP has to a differentiation in services is an ICMP message type and code, the first two bytes in the ICMP header. These tell the function of the particular ICMP message. Next, there is really no such thing as a client and server. In fact, when ICMP error messages are delivered, the receiving host may respond internally, but may not communicate anything back to the informer. And, ICMP gives no guarantees about the delivery of a message. One of the unusual traits about ICMP is that “services” do not have to be activated or listening. Just about every operating system is capable or responding to an ICMP echo request (ping). The hard part is turning it off. Some intrusion detection systems have echo reply disabled so that they can remain as anonymous and undetectable as possible. Another trait about ICMP is that it supports broadcast traffic. TCP required an exclusive client-server relationship, but ICMP isn’t nearly as territorial. We’ll see where this flexibility in ICMP’s ability to respond can sometimes cause problems. 5 - 7 IP Behavior III – SANS GIAC LevelTwo - ©2000, 2001 7 ICMP speakers • Hosts deliver ICMP queries/error messages to other hosts receiving host original sending host Hey! Slow down!!!! ICMP source quench Looking at slide “ICMP speakers” we try to make the point that ICMP is a protocol that IP speaking hosts possess and use. A host will use ICMP for simple replies and requests and it will use ICMP to inform another host of some kind of error condition. In this slide, we see that the receiving host is having a problem keeping up with the traffic that the sending host is delivering to it. One of the ways that a host can inform a sending host to throttle down the delivery rate is the send it an ICMP source quench message. 5 - 8 IP Behavior III – SANS GIAC LevelTwo - ©2000, 2001 8 ICMP speakers (2) • Routers deliver ICMP error messages to hosts router original sending host Hey! You’re not allowed in my network!!! ICMP admin prohibited Slide “ICMP speakers(s)” explains that ICMP is used as a mechanism by routers to inform a sending host of some kind of problem. In the above slide, you see a router responding to a sending host with an ICMP admin prohibited message. What this means is that the sending host attempted to send some kind of traffic that was forbidden by an access control list statement through the router. In a situation such as this, you would expect the router to be the sender of the message since it is the one forbidding the activity. However, a router might also intervene to inform a sending host about a condition when a destination host is incapable of responding. For instance, if the destination host is unreachable, obviously the destination host is incapable of responding. So, in a situation such as this, the router may reply instead. Some times the act of a host or a router responding to an error condition may not be too wise. While the router was trying to be helpful in the above slide by informing the sending host of a problem, it is also providing information that may be used for reconnaissance purposes. The sender may then glean some knowledge about the type of activity that the router is blocking or whether a host exists. Some sites “silence” the router as much as possible to preclude the dissemination of unnecessary information. 5 - 9 IP Behavior III – SANS GIAC LevelTwo - ©2000, 2001 9 ICMP listeners • One host can speak to another host Hello! Are you alive? ICMP echo request sending host receiving host Slide “ICMP listeners” makes a simple, perhaps obvious point that ICMP communication can be done between two hosts that converse using IP. This is nothing unusual because that is how we see traffic from TCP, and UDP is usually transacted between two hosts. The ability to converse in ICMP is part of the operating system for Unix hosts. And because the notion of ports or services doesn’t apply, a host can listen for all ICMP traffic directed to it. 5 - 10 IP Behavior III – SANS GIAC LevelTwo - ©2000, 2001 10 ICMP listeners (2) • One host can speak to many hosts Is anyone on the network alive? ICMP echo request to broadcast address sending host receiving router Advancing to slide “ICMP listeners(2)” we contrast the two-way communication of ICMP with that of broadcast ICMP traffic. In this instance, we observe a sending host delivering an ICMP echo request to the broadcast address. Now, if the router to which the activity is directed allows such inbound activity, all active hosts on the network will receive the ICMP echo request and respond with an ICMP echo reply. So, as you can see, this is a good way to map a given network or overload a network. And, as we also see, as activity on the Internet becomes less friendly, allowing such traffic through the router or some kind of packet filtering device is not such a good idea. We’ll examine how ICMP broadcast activity allowed in your network can be used as a denial of service against another network. [...]... that ICMP is a means of delivering error messages between hosts It is encapsulated in an IP header, but is considered part of the IP or internet layer ICMP is a unique protocol because it doesn’t use ports to communicate like the transport protocols do ICMP messages can get lost and not be delivered ICMP messages are never used to deliver an error about other ICMP messages because that might cause some... exceeded in-transit [tos 0xc0] IP Behavior III – SANS GIAC LevelTwo - ©2000, 2001 25 Let’s look at the “Time exceeded” ICMP message on the next slide TCP /IP needs a way to flush from the Internet a lost datagram, perhaps one that is in some kind of routing loop where it is bouncing aimlessly among routers The means used to prevent wayward datagram activity involves a field in the IP header know as the time... Reconnaissance value in some returned ICMP messages IP Behavior III – SANS GIAC LevelTwo - ©2000, 2001 27 Turning to slide “Normal ICMP review”, we examined many of the ICMP messages that you may see while monitoring your network We saw a timestamp request that is used to attempt to synchronize clocks or estimate round-trip time We saw many of the different informative ICMP error messages As you noticed, these... MTU = 1500 router > sending.host: icmp: target.host unreachable - need to frag (mtu 1500) IP Behavior III – SANS GIAC LevelTwo - ©2000, 2001 24 Moving to slide “Fragmentation required, DF flag set”, we discuss another ICMP message You may remember seeing or discussing the DF designation from tcpdump in other IP behavior webcasts This means the don’t fragment flag is set As the name implies, if this...ICMP theory review • Method for conveying error messages to IP • Protocol unique because: – No port numbers – No perceived client/server – No reliable delivery guaranteed – Capable of being broadcast • Just about all hosts listen and respond to ICMP IP Behavior III – SANS GIAC LevelTwo - ©2000, 2001 11 Let’s quickly summarize what we’ve learned in this short... in-transit message back to the sending host 5 - 25 Reassembly time exceeded sending host traffic to target host - gets fragmented target host target host doesn’t get all fragments times out Fragment 1, MF Fragment 2, MF Fragment 3, MF Fragment 4, MF target.host > sending host: icmp: ip reassembly time exceeded (DF) IP Behavior III – SANS GIAC LevelTwo - ©2000, 2001 26 We look at a final ICMP message in... of a given network Cisco router access control lists have a statement that can silence the router from issuing the ICMP unreachable messages “no ip unreachables” 5 - 20 Port unreachable connect to target host udp port ntp not listening on port ntp sending host ntp target host target.host > sending.host: icmp: target.host udp port ntp unreachable (DF) IP Behavior III – SANS GIAC LevelTwo - ©2000, 2001... TFN – Loki IP Behavior III – SANS GIAC LevelTwo - ©2000, 2001 28 Just like many of the other protocols, ICMP can be used for evil purposes Slide “Malicious ICMP” introduces this section in which we will discuss some of the ways that ICMP has been used for reconnaissance, as a conduit for denial of service attempts, and as a tunneling protocol 5 - 28 Additional Reconnaissance • Look at ICMP messages below... MTU of link • admin prohibited – determine access control list • time exceeded in-transit – discover network topology • address mask request – discover subnet mask IP Behavior III – SANS GIAC LevelTwo - ©2000, 2001 30 Look at the list above in slide “Other ICMP Reconnaissance” to see the types of information we can get from ICMP messages If any of the messages above listed under discover routers are... the other IP numbers, you’ll see that they seem to span 64 IP numbers For instance, the first IP number has a final octet of 0 and the following one has a final octet of 63, so that is 64 total IP addresses What is the significance of the 64? Well, a typical class C subnet has 256 addresses between the 0 and 255 host numbers It is possible to subdivide a class C network so that you have multiple smaller . 5 - 1 IP Behavior III – SANS GIAC LevelTwo - ©2000, 2001 1 IP Behavior III Internet Control Message Protocol (ICMP) Hi - I am Judy Novak. layer as IP. ICMP is encapsulated in the IP datagram after the IP header. 5 - 6 IP Behavior III – SANS GIAC LevelTwo - ©2000, 2001 6 ICMP versus other protocols