RSS feeds and podcasts created by Ed Nickel
CIT 361: Week 5
ICMP: useful tool and curse
To automatically receive new feeds and podcasts you can copy this link: http://cot.gbcnv.edu/~ed/class/cit361/cit361.xml to your RSS reader and/or your iTunes/mp3 software. If you prefer getting the new feeds and podcasts manually you can read these files directly as you are reading this one.
ICMP (Internet Control Message Protocol) is a network layer protocol just as IP is that was discussed last week. ICMP is both one of the most useful diagnostic protocols for TCP/IP in use by network administrators and unfortunately by hackers. The most common method of thwarting attacks that use ICMP is to simply switch off ICMP in routers, firewalls, and servers which, of course, makes it much less useful for legitimate diagnostics if not completely useless as such.
The first few pages of this chapter outline how some of the tools that use ICMP work and what information they give to an administrator or a "self healing" router. ICMP is used with:
Unfortunately, the less ethical Internet users can use these same tools, as described in the section "Security issues for ICMPv4" (pages 302-304). Most of these security issues have been at least mitigated if not eliminated in ICMPv6 but there are still some problems as described on page 304.
This brings to mind the example I like to cite of a match as a tool that can be used to light the fire that warms a house or misused to light the fire that burns the house down. ICMP is just such a tool, when used properly it helps enhance network connectivity but when misused can bring a network to its virtual knees. The result of these kinds of attacks is that many network administrators now use what are known as black hole routers that simply forward ICMP traffic or in extreme cases drop it with no response.
The remainder of this chapter shows the structure and contents of various ICMP packets. Even if these cannot always be used on the Internet they are valuable for diagnosing internal network problems. Knowing how to identify various TCP/IP protocol packets and their complete structure is important when using a network sniffer to detect problems or even illicit network traffic. Network sniffers, also known as protocol analyzers, were briefly introduced in chapter 1 and are very useful in diagnosing network issues noted in this chapter as well as monitoring TCP/IP security. As an aside the protocol analyzer Wire Shark is a freely downloadable software sniffer. If you wish to experiment with its use and examine real network packets I urge you to try it on your own computer, but please be aware that many network administrators will turn you over to the local police if they catch you using this to intercept network traffic.
There is much material in both my comments and this chapter for you to use in your discussion posts. I hope to see some very lively discussion threads as a result.
This is all I have to add for this week. As always there is a lot of material covered in the text and much more can be found on the web from various network system vendors. So, post your comments, ideas, and questions in the current discussion. If any of you have worked with these systems you might consider telling us about some of your experiences.