ICMP DOS Attacks

The Internet Control Message Protocol is simple, as Internet protocols go. Originally described in RFC 792 by Jon Postel, ICMP provides a way for IP stacks to send simple messages containing information or errors. ICMP is important for the Internet (and IP networks) to function correctly; however, ICMP can also have a negative effect on your network's security.

For instance, ICMP has been used for scanning, Denial of Service attacks, and tunneling. A recent research paper by Israeli security consultant Ofir Arkin draws attention to some of the more arcane ways that ICMP can be employed in scanning networks. At the end of his paper, Arkin suggests permitting only one of the 52 ICMP types and codes through a firewall, and that one only inbound.

This column provides basic working knowledge of ICMP and describes how it can be abused for purposes of scanning networks. It also considers which ICMP types you might want traversing your firewall.

ICMP ROGUES' GALLERY
The most familiar ICMP use involves the Packet Internet Groper program, more popularly known as Ping. Ping commands your IP stack to send out an ICMP Echo Request (type 8) packet, and waits for an ICMP Echo Reply (type 0). If the destination of the ICMP packet is up, has an IP stack, and is not behind a device blocking ICMP echoes (a firewall), the ICMP Echo Reply will be received by your IP stack, and presented to your Ping program so you can see that the reply was received, and that the remote system is up and reachable.

Obviously, Ping can be used for scanning networks. By trying each host address in turn, Ping can see which IP addresses within a network have systems with IP stacks connected. For this reason, many firewalls block incoming Echo Requests to prevent network scanning via Ping.

Other ICMP types can also be used for scanning, however. The ICMP Timestamp (type 13) will elicit a Timestamp Reply, but only from Unix systems (Microsoft has not implemented this functionality into its IP stacks). Getting a response to a Timestamp Request not only tells you that a system is up but also that it is not running a Microsoft operating system.

Arkin points out in his paper that Microsoft stacks can also be identified using ICMP Echo Requests. Some ICMP types also have subtypes, called codes, but not ICMP Echo Requests or Replies. If, however, you send an Echo Request with a code value set, Microsoft stacks clear the code in the response, but not Unix stacks. There are also differences in how IP stacks handle IP header errors, which can elicit Parameter Problem messages (type 12). Thus, it's possible to identify both Unix and Windows stacks using ICMP.

ICMP Address Mask Re-quests (type 16) should only be answered by routers, using an Address Mask Reply (type 17). The Address Mask Request can identify routers as well as collect subnet information, which is useful in mapping networks. As this ICMP type should only be used by local hosts looking for the subnet masks, it is an obvious candidate for blocking at firewalls. Router vendors should design router software so that it only responds to requests from neighboring networks.

Redirects (type 5) are used to adjust routing tables. Imagine that your desktop is on a subnet with two routers, each leading to different networks. Your system will be configured to treat one of these routers as the default router, but when packets that should be sent to the other router arrive at the default router's address, this router will send an ICMP Redirect to your host, adjusting its routing table. Depending on the information available to the router, it can send one of four codes-for example, a Host Redirect (code 0) or a Network Redirect (code 1).

If an attacker can send your system ICMP Redirects, he or she can also adjust your routing table, causing a DoS attack. Cisco Systems routers, for example, will not forward ICMP Redirect messages from other networks, blocking this attack remotely (but not locally). However, this is also an example of an ICMP type that should never pass through a firewall.

Source Quench (type 4) is not used for probing, but could be used for DoS attacks. Source Quench tells the traffic sender to slow down the rate it sends packets to the receiver. While it makes sense to permit Source Quench messages to public servers, it makes no sense to permit these ICMP messages into your internal network.

The Time Exceeded (type 11, code 0) message, which is normally used for error handling, can be used to map networks. IP headers include a Time-To-Live value that gets decremented each time the IP packet passes through an IP layer. TTL prevents packets from looping forever; it starts with a value no greater than 255 and eventually becomes zero. An attacker who wants to map a network can use traceroute to send packets with the TTL set artificially low. This causes intermediate routers to send back Time Exceeded messages that include their own source addresses; this is the information you see displayed when you use traceroute (or the Microsoft version, tracert).

A less-obvious use of Time Exceeded messages has to do with its other subtype (code 1). This subtype signals a sending host that not all fragments were received, and that the fragment reassembly time was exceeded. Arkin points out that this can be used to scan by sending only the first fragment, then waiting for the Time Exceeded message to be sent back. This technique can also be used for mapping ports, although it relies on the systems and ports being accessible through a firewall.

One of the most interesting ideas suggested in Arkin's paper has to do with mapping using Destination Unreachable (type 3) messages. The Destination Unreachable type has 15 subtypes (codes) that distinguish exactly what is unreachable, and sometimes why. For example, a router can report that a network, system, or a port on that system is unreachable, and it can also report that it is Administratively Prohibited-in other words, blocked by a firewall or packet filter.

It makes sense to permit Destination Unreachable messages to pass inbound through your firewall. Blocking these messages means that Internet applications like Netscape Navigator or Internet Explorer will hang until a failed connection attempt times out, instead of receiving the Destination Unreachable message and relaying that information to the user.

NONVENOMOUS ICMP
The only type of ICMP message that Arkin suggests you allow through your firewall is Destination Unreachable. This is associated with determining the Path Maximum Transmission Unit. Modern IP stacks avoid packet fragmentation by choosing a packet size that will be the same as or smaller than the smallest MTU along the path.

Systems can exchange MTU information using a TCP option, but the way a system learns the Path MTU is by sending a packet no bigger than the local MTU with the Don't Fragment bit set in the IP header. If the packet is larger than any segment of the path's MTU, a Destination Unreachable, Fragmentation Needed and Don't Fragment was Set (code 4), will be returned. The system receiving this message is supposed to pare down the packet size.

Arkin's advice is certainly conservative and safe. The table lists the different ICMP types, and you can get a complete listing of the codes using the Resources information. What you decide to do really depends on the level of security you want for your network and the type of firewall you are using.

Application gateway firewalls like Secure Computing's Sidewinder and Axent Technologies' Raptor terminate TCP connections at the firewall itself. This means that ICMP messages also communicate with the firewall's stack, and do not pass through the firewall when an application gateway is used.

Other firewall technologies must pass some ICMP messages through, or IP performance and network efficiency suffer. Of all the ICMP types, the Destination Unreachables are the most important to pass inbound through a firewall. If you use filtering to protect Web servers or other public servers, you may want to permit inbound Source Quench as well. For outbound traffic, blocking all ICMP types is the safest approach, although again you may wish to permit some types, depending on your security stance.

ICMP is really quite simple. It was designed to help IP work smoothly. For networks where security is not the priority, or if you are not preventing other types of scanning, you can leave ICMP traffic alone. However, for maximum security, only a few types of messages should be allowed through your firewall.