Subverting the ICMP protocol

Written by Peter Davies on .

This report has been prepared to critically examine the various techniques and protocols for subverting the ICMP protocol. By examining present forms of attack, this report will demonstrate how ICMP as a protocol can be easily subverted using simple tools that are freely available on the Internet. Using a well established virtual environment, several of the attack techniques will be practically examined, and this report will identify, using an introduction to both IP and the ICMP protocol, how in the future our networks might be secured against such attacks.

Introduction

Internet Protocol (IP) is a connectionless protocol in that the datagram is constructed and sent, and the sender has no idea whether it was delivered correctly (as this was a subsequent development of the Transmission Control Protocol). This is also true if a host is unavailable, the packets will simply be dropped if they do not reach the required destination.

internet protocol

Each level within a datagram has a header (above diagram). The IP header diagram (below right) is designed to demonstrate the formatting of the header. Each layer has its own header adding transportation information specific to that layer. This header has many fields but the most significant are the following that allow routers and switches to direct the transmitted data to and from its destination:

internet protocol

  • Source IP address
  • Destination IP address
  • Datagram ID
  • TTL (time to live)

The current IP protocol is version 4 providing several billion IP addresses, but as the growth of the Internet has increased exponentially over the past few years, a new solution to solve this issue is to be introduced. The IPv6 development has been conceived to solve some of the flawed entries of the previous version.

As a packet travels across the Internet it passes through routers that direct the information and provide simple error handling if for example the destination is unreachable. The protocol that performs this operation is called the Internet Control and Messaging Protocol (ICMP) and provides a mechanism for error handling and general messaging across the IP network layer. The diagrams on the previous page demonstrate how data is encapsulated within specific data types, and ICMP is transported in the data section of the IP packet (blue section at the same level as TCP transport control protocol) and itself has several data structures with headers like the ICMP request and reply message as defined by RFC 792 [1] and graphically represented below:

ICMP data structure

The ICMP protocol provides four commonly recognised additions to the IP protocol:

  1. Flow control When a receiving host is too busy to accept an incoming stream it sends a source quench message to temporarily halt the incoming stream.
  2. Unreachable destination alertsIf a machine on the network detects that a destination is unreachable, it will send a destination unreachable message to the sending machine.
  3. Redirecting routesA gateway can send a redirect message to inform a host to use another gateway.
  4. Checking remote hosts Using echo messages the physical connectivity of hosts on a network can be checked (such as when we ping a host)

The author of Internetworking with TCP/IP, Comer, D (2000) summarises the ICMP protocol as:

The Internet Control Message Protocol allows routers to send error or control messages to other routers or hosts; ICMP provides communication between the Internet Protocol software on one machine and the Internet Protocol software on another.

Each of the four functions above can be exploited in different ways; the following report will outline the various techniques that can be implemented to subvert the ICMP protocol to obtain information about hosts and networks.

Forms of Attack

ICMP Sweep

An ICMP sweep is often not seen as a direct attack on network, but never the less it is a threat to security. By using a sweep, an attack can determine which hosts are active so that they can perform more direct targeted attacks specific to those hosts.

By sending a series of ICMP echo request packets to every IP on a network segment, an attacker will receive ICMP replies confirming that a host is alive. This process is fairly noisy in the sense that you are broadcasting across a whole network range.

Inverse Mapping

Often networks are protected by filtering devices such as firewalls and gateways that prevent internal hosts from being reached externally. Using Inverse Mapping we can obtain a map of an internal network by polling internal routers about the hosts nearby by getting them to reveal information about the network without the filtering devices.

The SANS Institute paper on ICMP Attacks [2] describes the steps to recreate this process as:

  1. an attacker sends an ICMP reply message to a range of IP addresses presumably behind a filtering device
  2. upon receiving the series of ICMP reply messages, the filtering device will allow the packets to be forwarded to their destination (as the filtering device does not store the state of the ICMP requests)
  3. if there is an internal router, the router will respond with an ICMP Host Unreachable for every host that it cannot reach, thus giving the attacker knowledge of all hosts which are present behind the filtering device.

This process relies on the weakness of routers not maintaining or validating the state of an ICMP packet, where its possible to send a reply message before sending what would be the initial request message.

Traceroute Network Mapping

Both Microsoft Windows and all Linux derivatives include a network tool known as trace route that provides a mechanism for tracking the path of packets flowing between itself and a destination host. It achieves this by utilising the IP protocols TTL (time to live) field, where it attempts to elicit an ICMP time exceeded response from each gateway/router along the path to some host [3].

By default the Linux version of the trace route application uses UDP to perform its tracing, but it also provides an argument (-I) that allows the tool to use ICMP instead.

OS Fingerprinting

Often an attacker will need to identify what system they are about to attack before they can exploit a vulnerability. In this technique, the attacker relies upon the operating system manufacturer to have built their communications system slightly differently from other operating systems (as often is the case) [4].

Once again, the steps to recreate this technique are:

  1. the attacker sends malformed ICMP packets to the destination
  2. the destination host will respond with numerous answers to the given requests
  3. each operating system will send slightly different results back to the host so by process of elimination its possible to determine the operating system

This flaw in the development of the operating system, allows specially designed tools to examine the structure of the returned ICMP data and determine the likely operating system. We will see in this report an example of this technique demonstrating how a Linux tool called sing identifies different operating systems [5].

ICMP Route Redirect

As previously mentioned, one of the four main functions of ICMP is to provide the ability to redirect routing if for example another route has been found to be more efficient, or that it has been discovered that one route has a failure.

This technique exploits this function allowing a false ICMP packet to be transmitted telling a target host that they must route information through a new gateway, the attacker. After the traffic is re-routed through the attacker, it can be monitored using a packet sniffing application like Snort.

Ping of Death

This technique is where the attacker sends excessively large ICMP messages to a target host. Exploiting the weakness in operating systems implementation of the TCP/IP specification, the attacker can send an ICMP packet greater than the maximum of 65536 octets allowed. Depending on the operating system it is possible to create a buffer overflow, crashing a computer and forcing it to reboot, or even worse, make the host hang (thus rendering it unusable).

A similar attack can be achieved by sending multiple fragmented ICMP packets that requires the operating system to restructure the data on arrival. On examination, the operating system discovers that the packets are not the size they say they are and as a result it forces the machine to hang or reboot.

ICMP Flood Attack (Smurf)

The aim of this technique is to use the other computers on a network to attack the target host on behalf of the attacker. This attack exploits the weakness in the ICMP and IP protocols by forging the original source address of the packet with the address of the machine you wish to attack. This spoofing hides the attacker, and begins a chain reaction of network disruption.

This is best illustrated using graphical examples; to actually execute a Smurf attack on a network could cause serious disruption.

The attacker begins this exploit by broadcasting copious ICMP echo requests on a network (stage 1 below). Each of the active hosts will reply with an ICMP reply request to the spoofed IP address of the target and this results in a form of denial of service where the target computer is swamped with network traffic, unable to connect to external services (stage 2 below).

Practical Examples

During the construction of this report, numerous practical examples were used to test the theory behind the different forms of attack. Using a virtualisation environment known as VMware it was possible to reconstruct a virtual network where no real computers would be affected.

The diagram on the next page demonstrates the basic topology of the following key components:

  1. Computer 1, known as Alice and
  2. Computer 2, known as Bob
  3. Computer 3, known as Eve who wishes to eavesdrop on the conversation between Alice and Bob.
  4. Computer 4, known as Bill a Microsoft Windows 2000 machine

Attached to the end page of this report is a DVD containing the preassembled Alice, Bob and Eve VMware images, with a configuration tutorial in the section named Configuring a VMware Environment. The DVD contains a pre-configured Eve with access to SING amongst many tools.

ICMP Sweep

Not directly an attack on a network, but never the less a security threat, ICMP sweeping provides an attacker with an overview of the machines on a network. Using a tool called nmap, an attacker can run the following command to sweep a subnet:

After running this command something similar to the following screen shot will be generated:

As you can see from the results, nmap has correctly identified each legitimate host on the network, detecting the MAC address and determining the vendor of the NIC (network interface card in this case the virtual environment). The results are achieved by sending echo requests to each IP within a given subnet, those that reply with an ICMP reply are therefore active.

OS Fingerprinting

This is a fairly simple technique using SING to detect which operating system a particular hosts is running. As a reconnaissance tool this is very useful as an attacker can then tailor specific vulnerabilities to the detected operating systems for maximum effect. Here we can see Eve scanning Alice and determining that she is a Linux host:

And again, here we can see Eve scanning Bill, a Microsoft Windows 2000 host:

ICMP Flood Attack (Smurf)

Our test environment only contains four hosts, one being the attacker, and then one being the target. This leaves only two machines to perform the attack which due to its small scale creates no visible disruption to the activities of the target. This said we can easily see how the sing tool performs on only a few hosts using the following command:

The command is designed to broadcast ICMP echo requests to the IP address with the last octet ending in 255 (signifying a broadcast address) with a source address of the Windows 2000 machine. The tool generates the following output:

What we see here are the only two attacking machines replying to the initial attackers echo requests. They use the forged IP header to reply to the requests and as a result they send their packets to the target host. With enough of these replies it is clear that the target machine would be swamped with too much data to process, and subsequently not be able to communicate effectively.

Countermeasures

The first step to implementing any countermeasure is to determine if you are under attack. The process of launching a DoS is trivial in comparison to the time it takes to implement successful countermeasure, so here we discuss a simple procedure for detection of a Smurf attack on a Linux based host is to determine the amount of inbound ICMP traffic and compare it against the amount of outgoing traffic. If there is unusually more inbound ICMP traffic than outgoing, it will show that the host is being flooded.

For example running SING on Eve to flood Alice we use:

And on Eve we get the following output:

and then on Alice we can detect the flood by executing the following command [6]:

which should create results like the following:

Which demonstrate that Alice is receiving far more incoming ICMP packets than actually sending them a clear indication that an ICMP flood is occurring. Further tools are available that automate this detection process, activating only after a given threshold of activity.

Conclusions

As briefly mentioned in the Introduction of this report, IPv6 enhances the current IP protocol providing streamlined headers removing some of the more superfluous fields and replacing them with additional support for packet routing, and now with extended address reservation for IP addresses up to 128bits long. This is a substantial increase from version four which contained several unused fields and support for only 4,294,967,295 unique addresses. The most important addition to this new version is the built-in security for authentication and encryption solving the previous versions lack of non-repudiation support. Unlike the present version, IPv6 provides a facility for encryption prior to generation of the authentication data in the header field. This basically means that an attacker would need to gain extensive credentials to even begin to mount an attack; which itself is highly unlikely.

The main issue with a Smurf style attack is that the weight of the attack is multiplied by the number of hosts that are alive on a given network segment. Effectively, if the attacker can position himself correctly, the target host will almost definitely be subject to a full denial of service.

Recent press indicates that more home users are aware of such attacks of DoS with press coverage of electronic extortion cases. Here we have hackers blackmailing heavily used, business-critical websites with denial of service threats. Most organisations pay the money as the implications of having their site offline causes substantial business losses. The most recent example of this is as reported by the BBC [7] where a website called the Million Dollar Homepage attracted a little too much attention. The hackers wanted $5000 or they would perform a denial of service on the website, and when the owner didnt pay the hackers took the site down.

As with other protocols such as ARP, ICMP is required to provide a mechanism for error and query messaging. Without the addition of ICMP, the IP protocol would be unable to function correctly. It would also be difficult to implement a replacement given the wide-spread usage of the TCP/IP suite of protocols, for example, its use on the Internet.

In conclusion we can see that there are multiple ways to subvert the ICMP protocol using simple tools that are freely available on the Internet. We have also understood that without the ICMP protocol it would be impossible for the IP protocol to function without error messaging. What we can gain from understanding these exploits are the methods of detecting when they take place; this is the only real countermeasure to a very real threat.

References

Books

Comer, D (2000), Internetworking with TCP/IP Volume 1 [Book] Publisher: Prentice Hall, ISBN: 0 13 018380 6

Hallberg, B (2000), Networking Guide, Osborne, California, USA

Lewis, C (2000), Routing Professional Reference, McGraw-Hill, London, UK

Siyan, K (1998), Inside TCP/IP [Book] Publisher: New Riders, ISBN: 1-56205-714-6

Stallings, W (1997), Data And Computer Communications, Prentice-Hall, London, UK

Tanenbaum, A (1996), Computer Networks [Book] Publisher: Prentice Hall, ISBN: 0-13-394248-1

Teare, D (1999), Designing Cisco Networks [Book] Publisher: Cisco Press, ISBN: 1-57870-105-8

End Notes

[1] Postel, J (1981) Internet Control Message Protocol [Online] Network Working Group [Accessec 14th Feb 2006] Available from: http://www.faqs.org/rfcs/rfc792.html

[2] SANS Institute (2001) ICMP Attacks Illustrated [Online] SANS Institute [Accessed 16th Feb 2006] Available from: http://www.sans.org/rr/whitepapers/threats/477.php

[3] Jacobson, V (1996) UNIX Manual Page for TRACEROUTE [Online] Unix [Accessed 26th Feb 2006] Available from: http://www.zytek.com/traceroute.man.html

[4] Chappell, L (2003) OS Fingerprinting with ICMP [Online] Security Pro News [Accessed 25th Feb 2006] Available from: http://securitypronews.com/securitypronews-24-20030929OSFingerprintingwithICMP.html

[5] Omella, A (2001) UNIX Manual Page for SING [Online] Unix [Accessed 29th Jan 2006] Available from: http://linux.com.hk/penguin/man/8/sing.html

[6] Hoch, D (2004) Analysis of Network Denial of Service [Online] UUASC [Accessed 18th Feb 2006] Available from: http://www.ufsdump.org/papers/uuasc-november-ddos.html

[7] BBC News (2006) Blackmailers target $1m website [Online] BBC News [Accessed 2nd Mar 2006] Available from: http://news.bbc.co.uk/1/hi/technology/4621158.stm