During data transmission, IP provides best-effort services. That is, IP tries its best to send data packets to the destination. IP does not verify whether the destination host receives the data packet, and cannot perform flow control and error control. Therefore, various errors are inevitable during data packet transmission. To forward IP packets more effectively and improve the chance of successful packet delivery, ICMP comes into being. ICMP enables hosts or devices to report errors and exceptions to upper-layer protocols when packet transmission experiences errors on the network. Upper-layer protocols then can use their own error control programs to determine whether communication is normal for flow control and error control, ensuring service quality. Show
How Does ICMP Work?ICMP is an error reporting mechanism. If an error occurs during packet processing, ICMP reports the error to the source device of the packet. ICMP neither corrects the error nor notifies the intermediate network devices of the error. An ICMP message is encapsulated as a part of an IP datagram and transmitted through the Internet. An IP datagram contains information about only the source and destination, and can record information about all nodes along the path it traverses only if its Record Route option is set. Therefore, a device that detects an error reports the error to only the source but not intermediate devices. After receiving the error report, the source cannot determine which intermediate device causes the error. However, the source can determine the error type according to the ICMP message and determine how to retransmit the data packet that fails to be transmitted. The following figure shows the ICMP message format. Each ICMP message contains the complete IP header of the data packet that triggers the ICMP message, and the ICMP message is encapsulated in the IP data packet. The ICMP header contains the following fixed fields, which are the basis for the source to determine the error type:
Different values of the Type and Code fields indicate different types of ICMP messages, which correspond to different errors that may occur during data packet processing. ICMP messages are classified into error and query messages. ICMP does not generate ICMP error messages in the following situations:
Table 1-1 ICMP message classification Type Code Description Query/Error 0 – Echo Reply 0 Echo reply Query 3 – Destination Unreachable 0 Destination network unreachable Error 1 Destination host unreachable Error 2 Destination protocol unreachable Error 3 Destination port unreachable Error 4 Fragmentation required, and DF flag set Error 5 Source route failed Error 6 Destination network unknown Error 7 Destination host unknown Error 8 Source host isolated Error 9 Network administratively prohibited Error 10 Host administratively prohibited Error 11 Network unreachable for ToS Error 12 Host unreachable for ToS Error 13 Communication administratively prohibited Error 14 Host precedence violation Error 15 Precedence cutoff in effect Error 5 – Redirect Message 0 Redirect datagram for the network Error 1 Redirect datagram for the host Error 2 Redirect datagram for the ToS and network Error 3 Redirect datagram for the ToS and host Error 8 – Echo Request 0 Echo request Query 9 – Router Advertisement 0 Router advertisement Query 10 – Router Solicitation 0 Router discovery/selection/solicitation Query 11 – Time Exceeded 0 TTL expired in transit Error 1 Fragment reassembly time exceeded Error 12 – Parameter Problem 0 Pointer indicates the error Error 1 Missing a required option Error 2 Bad length Error 13 – Timestamp 0 Timestamp Query 14 – Timestamp Reply 0 Timestamp reply Query 15 – Information Request 0 Information request Query 16 – Information Reply 0 Information reply Query Typical Applications of ICMPIP and other programs, among which the ping and tracert (traceroute) applications are the most common, can use ICMP messages to implement multiple applications. In network management and monitoring, network quality analysis (NQA) makes full use of ICMP. PingPing is the most common debugging method to detect whether IPv4/IPv6 network devices are reachable. It uses ICMP echo messages to test the following:
TracertTracert checks network connectivity by checking the path of packets from the source to the destination. When a network fault occurs, you can use tracert to locate the fault. Tracert determines the routes from a host to other hosts on the network based on ICMP timeout messages and destination unreachable messages. In addition, it helps determine the delay of each hop on the IP network. The delay indicates the time required for sending a packet from the information source to the destination. The delay can be classified into propagation delay, transmission delay, processing delay, and queuing delay. NQANQA is a technology that measures network performance in real time and collects statistics on network information, such as the delay, jitter, and packet loss rate. It helps learn network service quality in real time and effectively diagnoses and locates network faults. NQA extends and enhances the ping and tracert functions by using different types of ICMP messages. It can accurately test the network operating status and output statistics. NQA tests include ICMP tests, ICMP jitter tests, and trace tests.
ICMP SecurityICMP is of great significance to network security. ICMP does not have an authentication mechanism. As a result, ICMP is easy to be used to attack network devices such as switches and routers. ICMP AttacksCurrently, most ICMP attacks are denial of service (DoS) attacks. The most common ICMP flood attack occurs when an attacker sends a large number of forged ICMP packets to the target device in a short period of time. As a result, the target device is busy with processing these useless packets and cannot provide services for legitimate users. The following figure shows the process.
ICMP flood attacks are classified into bandwidth-consuming DoS attacks and port scanning attacks (connection-based DoS attacks).
In addition, there are DoS attacks targeting hosts, which are also called ping-of-death attacks. These DoS attacks mainly exploit operating system vulnerabilities. In the early stage, routers limit the maximum size of packets. Many operating systems specify 64 KB as the maximum size of an ICMP message in the TCP/IP protocol stack. After the header of an ICMP message is read, a buffer is generated for the payload based on the information contained in the header. When receiving a malformed packet whose size is claimed to exceed the maximum size of an ICMP message, that is, 64 KB, a device will allocate a payload of more than 64 KB, leading to a memory allocation error. As a result, the TCP/IP protocol stack crashes and the device breaks down. According to this, an attacker can send an invalid ICMP Echo Request packet to crash or restart the target system. Many systems, including Windows, Unix, Macintosh, and some switches, routers, and printers, are vulnerable to such attacks. If the version of the operating system used by the user is outdated, ensure that required patches are installed. ICMP Attack DefenseICMP plays a significant role in network data transmission, network management and monitoring, and network security. Therefore, the ICMP attack defense technology is of great importance to reduce the burden of the device in processing ICMP packets and defend against ICMP attacks. Currently, ICMP packet rate limiting, ICMP packet validity check, discarding ICMP packets that do not need to be processed, and no response to unreachable packets are used to defend against attacks and protect device CPU resources.
|