The Internet is now the world's most popular network and it is full of potential vulnerabilities. In this series of articles, we explore the vulnerabilities of the Internet and what you can do to mitigate them.
The Internet Control Message Protocol (ICMP) is the part of the Internet Protocol (IP) suite of networking protocols. ICMP is used to provide feedback about problems in the communication environment.
ICMP is an integral part of IP, and must be implemented by every IP module. ICMP messages are sent in several situations, for example: when a datagram cannot reach its destination, when the gateway does not have the buffering capacity to forward a datagram, and when the gateway can direct the host to send traffic on a shorter route. (RFC792)
Because ICMP is universal to IP networks, ICMP vulnerabilities affect every site using IP protocols. This includes all Internet sites and many other networks.
Because ICMP's role is to manage errors, it can potentially be used to cause hosts to reroute packets (e.g., through your host so you can tap transmissions), to cause packets to be retried (e.g., to force unnecessary consumption of bandwidth), to change the rate at which hosts send information (e.g., to force performance to slow to a near-halt), and for other similar disruptive purposes.
ICMP attacks are primarily ways to corrupt network integrity. They can result in widespread or selective corruption of information, select or widespread denial of services, and select leakage of information.
Without providing specific source code for attackers, the following examples give an idea of how ICMP can be abused.
ICMP packet type 3 is a good starting point. In packet type 3, a message can be sent indicating any of the following conditions:
0 = net unreachable; 1 = host unreachable; 2 = protocol unreachable; 3 = port unreachable; 4 = fragmentation needed and DF set; 5 = source route failed.
All an attacker has to do is forge the right packets and a network, host, protocol, or port appears to be unreachable (0, 1, 2, or 3). The fragmentation requirement can force a host to retransmit packets in smaller sizes, thus taking more bandwidth and opening holes for other attacks we will discuss in another issue in this series.
The source quench message is a request to the host to cut back the rate at which it is sending traffic to the internet destination. On receipt of a source quench message, the source host should cut back the rate at which it is sending traffic to the specified destination until it no longer receives source quench messages from the gateway.
In other words, if an attacker sends a series of source quench packets, they can slow the communication rate between that host and some other host. The simplest way to use this is to forge IP packets and cause hosts to slow traffic to specific hosts, but with a little bit of effort, you can do a lot more damage.
By using the traceroute program provided with most Unix implementations, you can find out how packets are routed between hosts. Since each Internet site has one primary path for traffic flow, traceroute can identify the closest site to the host under attack. By forging source quench packets from that host to the host under attack, you can effectively slow all traffic from the host under attack.
For the more malicious attacker wishing to cause widespread disruption of services, source quench can be used to slow down main Internet arteries, thus slowing long-haul traffic throughout large portions of the global network. This is done by sending source quench packets to hosts connected to the backbone networks which carry moist communications across country or between countries or continents.
The redirect message portion of ICMP provides for the following services:
0 = Redirect datagrams for the Network. 1 = Redirect datagrams for the Host. 2 = Redirect datagrams for the Type of Service and Network. 3 = Redirect datagrams for the Type of Service and Host.
The redirect message advises the host H to send its traffic for network N directly to gateway G as this is a shorter path to the destination. The gateway G is supposed to forward the original datagram's data to its internet destination. This is how routing tables are automatically updated to reflect changes in network topology or performance.
An attacker can use this type of message to dramatically change the effective topology of the Internet. For example, by directing all traffic from Sprint's southern California gateway going toward the Pacific rim through a slow computer in Iowa, network performance could be severely slowed. From that host in Iowa, you could then tap into all traffic going through that gateway toward the Pacific rim, modify traffic in transit, and selectively cut off traffic or change source and destination addresses, change message priorities, and any of a large number of other disruptive things.
This ICMP extension provides the means by which hosts and networks can announce their location and the best routes for reaching them. It is one of the core methods used to change address information when a host moves. For example, if you change Internet providers but keep your domain name, routing advertisement is the way the routing tables get updated.
According to the RFC that specifies this service, the following security implications exist:
This extension of ICMP makes it possible for any system attached to a link to masquerade as a default router for hosts attached to that link. Any traffic sent to such an impostor is vulnerable to eavesdropping, to denial of forwarding service, and to modification by insertion, deletion, or alteration of packets. It should be noted that, on most multicast or broadcast links on which this protocol is expected to operate, eavesdropping is already possible by any system attached to the link, and the Address Resolution Protocol (ARP) used on those links offers a similar opportunity for service denial and message stream modification. For environments where those threats are deemed unacceptable, there are configuration variables to disable dynamic router discovery by hosts. The Router Advertisement message format is defined so as to allow additional information to be added to the message in a backward- compatible manner. One possible use of that capability is to add digital signatures or some other form of authentication information to the advertisements, to enable hosts to verify their authenticity. This is FOR FURTHER STUDY.
To date, no further study has been done, or at least, the protocol hasn't been augmented.
This brings us to Fred's First Law of Attacking Computers:
Computers can't tell the difference between the truth and a lie, and neither can many humans. But unlike most humans, in the case of most modern computers, even the simplest of lies work, and the same lie works again and again until the computer is fixed. Then another lie will probably work.
In this case, the attacker is telling a lie about error conditions in the network, the most efficient route from one place to another, or other such things.
ICMP cannot simply be abandoned like many other insecure Internet services because it is so deeply embedded in IP. But there are some things you can do to limit the potential risks.
The Internet Control Message Protocol is both necessary to Internet operation and a potentially hazardous source of corruption, denial of services, and information leakage. If properly managed, networks can be kept reasonably secure from the threats resulting from ICMP, however few current networks are properly protected.