Ed's podcasts

RSS feeds and podcasts created by Ed Nickel
are licensed under a Creative Commons Attribution 3.0
United States License
based on a work at cot.gbcnv.edu.
Creative Commons License

CIT 361: Week 5

ICMP: useful tool and curse

To automatically receive new feeds and podcasts you can copy this link: http://cot.gbcnv.edu/~ed/class/cit361/cit361.xml to your RSS reader and/or your iTunes/mp3 software. If you prefer getting the new feeds and podcasts manually you can read these files directly as you are reading this one.


ICMP (Internet Control Message Protocol) is a network layer protocol just as IP is that was discussed last week. ICMP is both one of the most useful diagnostic protocols for TCP/IP in use by network administrators and unfortunately by hackers. The most common method of thwarting attacks that use ICMP is to simply switch off ICMP in routers, firewalls, and servers which, of course, makes it much less useful for legitimate diagnostics if not completely useless as such.

The first few pages of this chapter outline how some of the tools that use ICMP work and what information they give to an administrator or a "self healing" router. ICMP is used with:

  • Ping (page 291-293) to test network connectivity, these results test whether a packet can reach its destination and show how long it takes for a packet to reach its destination;

  • Traceroute (page 293-294) finds which route is used and how many hops are in the route to a destination;

  • Path MTU (maximum transmission unit) discovery (page 294) determines the largest size packet that can be sent over a particular route, and since there is huge overhead that can dramatically slow down traffic if packets must be fragmented then the sender can adjust their packet size to best fit the route; please note some routers simply drop packets that are to large instead of fragmenting them to avoid the delays but they should send a message back to the sender telling them why their packets are not delivered;

  • ICMP Router Discovery (page 298) and Router Advertising (page 301) can help a local host find a gateway router or even the best route to use on a multiple router subnet when sending their packets.

Unfortunately, the less ethical Internet users can use these same tools, as described in the section "Security issues for ICMPv4" (pages 302-304). Most of these security issues have been at least mitigated if not eliminated in ICMPv6 but there are still some problems as described on page 304.

  • Ping and Traceroute can be used to flood a router with useless traffic and extra response work as well as being a tool to find potentially vulnerable links;

  • Path MTU discovery can be purposely used to exceed the MTU thus adding congestion to that route;

  • Router Advertising can be used to re-route network traffic to themselves for any of several so called "man-in-the-middle" attacks.

This brings to mind the example I like to cite of a match as a tool that can be used to light the fire that warms a house or misused to light the fire that burns the house down. ICMP is just such a tool, when used properly it helps enhance network connectivity but when misused can bring a network to its virtual knees. The result of these kinds of attacks is that many network administrators now use what are known as black hole routers that simply forward ICMP traffic or in extreme cases drop it with no response.

The remainder of this chapter shows the structure and contents of various ICMP packets. Even if these cannot always be used on the Internet they are valuable for diagnosing internal network problems. Knowing how to identify various TCP/IP protocol packets and their complete structure is important when using a network sniffer to detect problems or even illicit network traffic. Network sniffers, also known as protocol analyzers, were briefly introduced in chapter 1 and are very useful in diagnosing network issues noted in this chapter as well as monitoring TCP/IP security. As an aside the protocol analyzer Wire Shark is a freely downloadable software sniffer. If you wish to experiment with its use and examine real network packets I urge you to try it on your own computer, but please be aware that many network administrators will turn you over to the local police if they catch you using this to intercept network traffic.

There is much material in both my comments and this chapter for you to use in your discussion posts. I hope to see some very lively discussion threads as a result.

This is all I have to add for this week. As always there is a lot of material covered in the text and much more can be found on the web from various network system vendors. So, post your comments, ideas, and questions in the current discussion. If any of you have worked with these systems you might consider telling us about some of your experiences.