ICMP Vulnerabilities and its Countermeasures
By
Shweta Jhunjhunwala (MITS,Lakshmangarh)
Kriti Goenka (MITS, Lakshmangarh)
Sandeep Tanwar (GPMCE,IP University, Delhi)

Abstract:
To prevent distributed denial of service (dDoS) attack via ICMP (ping).

1. Introduction
ICMP or The Internet Control Message Protocol is the de facto protocol used to communicate error messages reporting errors that might have occurred while transferring data over networks. ICMP messages are sent in several situations: for example, when adatagram cannot reach its destination, when the gateway does not have the buffering capacity to forward a datagram, and when the gateway can direct the host to send traffic on a shorter route.

The purpose of these control messages is to provide feedback about problems in the communication environment, not to make IP reliable.There are still no guarantees that a datagram will be delivered or a control message will be returned.Some datagrams may still be undelivered without any report of their loss.The higher level protocols that use IP must implement their own reliability procedures if reliable communication is required.

The ICMP messages typically report errors in the processing of datagrams.To avoid the infinite regress of messages about messages etc., no ICMP messages are sent about ICMP messages.Also ICMP messages are only sent about errors in handling fragment zero of fragemented datagrams.(Fragment zero has the fragment offeset equal zero). ICMP messages are typically generated in response to errors in IP datagrams (as specified in RFC 1122) or for diagnostic or routing purposes.

It is the responsibility of the network layer (IP) protocol to ensure that the ICMP message is sent to the correct destination. This is achieved by setting the destination address of the IP packet carrying the ICMP message. The source address is set to the address of the computer

that generated the IP packet (carried in the IP source address field) and the IP protocol type is set to "ICMP" to indicate that the packet is to be handled by the remote end system's ICMP client interface.

2. Message Format
ICMP messages are sent using the basic IP header. Unless otherwise noted under the individual format descriptions, the values of the internet header fields are as follows: * Version: This would normally be set to '4' to indicate use of ipv4. * IHL: Internet Header Length : The length of the header in 32 bit words. This field is needed since header length might vary. * Type of Service: Set to 0 by default. * Total Length: Total Length and the first data byte is the sequence number plus 1. Otherwise if the SYN flag is not present. * Identification, Flags and Fragment Offset : Taken from the IP protocol. * Time to live : How many routing hops this packet may endure. * Protocol : ICMP version used. * IP Header Checksum: used for error checking. * Source Address: The source address from whom the packet was sent. * Destination Address: The destination address of the packet. * Type: 8 bits.Specifies the format of the ICMP message. * Code: further specification of the ICMP type; e.g. : an ICMP Destination Unreachable might have this field set to 1 through 15 each bearing different meaning. * Checksum: This field contains error checking data calculated from the ICMP header+data, with value 0 for this field. * ID: This field contains an ID value, should be returned in case of ECHO REPLY. * Sequence: This field contains a sequence value, should be returned in case of ECHO REPLY.

Padding Data
After the ICMP header follows padding data (in bytes): * The LINUX "ping" utility pads ICMP to a total size of 64: sizeof(ICMP Header) - 64 = 56 * WINDOWS "ping.exe" pads to a total size of 40: sizeof(ICMP Header) - 40 = 32.

Any field labeled "unused" is reserved for later extensions and must be zero when sent, but receivers should not use these fields (except to include them in the checksum). ICMP datagram can have a maximum length of 65536.
The grey cells describe the IP header. The ICMP header consists of the green cells.

Fig1: ICMP Datagram ICMP packet | | Bit 0 – 7 | Bit 8 - 15 | Bit 16 - 23 | Bit 24 - 31 | IP Header
(160 bits OR 20 Bytes) | Version/IHL | Type of service | Length | | Identification | flags and offset | | Time To Live(TTL) | Protocol | Checksum | | Source IP address | | Destination IP address | ICMP Payload
(64+ bits OR 8+ Bytes) | Type of message | Code | Checksum | | Quench | | Data (optional) |

3. Ping Application
Ping is a computer network tool used to test whether a particular host is reachable across an IP network; it is also used to self test the network interface card of the computer, or as a speed test. It works by sending ICMP “echo request” packets to the target host and listening for ICMP “echo response” replies. Ping measures the round-trip time and records any packet loss, and prints when finished a statistical summary of the echo response packets received, the minimum, mean, max and in some versions the standard deviation of the round trip time.

3. Distributed Denial of Service Attack

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or persons to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers. This attack is possible only on statuc live IPs.
This attack can be achieved by many ways like * teardrop attack * peer to peer attack * ICMP flood
And many other. Our target for this paper is preventing ICMP flood. ICMP flood is achieved by sending extremely large ICMP datagrams via PING command by using the following command:

ping –l “size of packet” “destination IP/Domain name”

As we know that the ICMP has a maximum datagram size of 65536 bytes, in DoS attack (which is restricted and is obsolete now) the packet of more than this size was used to send, say 65540 (called as ping of death), this way the destination system’s network adapter goes into infinite loop of resolving the packet size which is actually not mentioned in its dictionary. This way the network adapter it distorted and the server goes down. But this is no more exists in the operating systems after Windows NT and 98.
After DoS attack’s prevention, hacker came up with the idea of distributed DoS attack. For preventing Dos attack the OS manufactures had added a mechanism for discarding packets more then 65536.
But hacker are no less, they came up with the idea of DDoS attack in which a packet large enough, say 65000 Byte, are sent from many systems, say 10, to a single system, this way each packet being within the acceptable range is stored in the network adapter buffer. As the size of the packet is very large th e network adapter takes time to analyses the packet and generate a reply for each packet, but the senders do not wait and are continuously sending such large ICMP packets. This overflows the buffer and hence the adapter is destroyed. This buffer can be seen in the task manager of Windows or in any of the network analyzing software. Actually the DDoS attack is achieved by analyzing the network traffic graph when such large ICMP packets are sent and according to the graph the number of systems required to send the ICMP packets via PING are calculated.

5. Countermeasure
As we know, the ICMP packets are generated in two ways: * When any error is generated in any TCP/IP connections and communications. * Deliberately by ping and traceroute applications.

In both the ways, ICMP packets can be used for DDoS attacks, by increasing the size of ICMP packets.
Now one way of avoiding such attacks is to configure the firewall in such a way that they discard the ICMP packets. But many a times ICMP packets are needed. So stopping the protocol is not a wise solution.
But this can be prevented by bringing upon slight changes in the ICMP protocol.
The size of the IP packet is 65536 Bytes, which is redundantly wasteful in case of ICMP, as this protocol is solely used for connection checking and error message generation, and it has nothing to do with transfer of data. For this purpose of control message transfers we require not more than 64 Bytes (that to in the Linux). So this huge size is left only for the use of the Hackers!
Hence by bring upon the change in the size of ICMP packets DDoS attack via ICMP can be prevented.
If we bring the change in a protocol, then all the related services, which are actually implemented with the help of some programming, has to be updated.
Here we are pointing out at the traceroute (in Linux)/ tracert( in Windows) , ping , and all the protocols such as routing protocols, IP etc all need to implement these changes. Taking example of ping application on Unix/Linux platform, which was first developed by Mike Muuss, U. S. Army Ballistic Research Laboratory, in 1983.
We have tried to bring upon the desired changes in the same program. And this is working perfectly fine on Linux.
This change can be implemented in the new systems. But the real problems are the already implemented systems. Logically, such system becomes victim when if they are connected to internet. And we know that whenever we connect our system to internet our vendors send us the updates for the systems. So the new implementations of ICMP protocols can be sent via net to all the systems this way every system becomes updated with the new implementation of them.

6. Other vulnerabilities 1. The various ICMP messages having different code and type values can be used to get different kinds of information on the remote system. Information gathering is the first step that a hacker goes through in his attempt to detect any loopholes in the target system. Although sending ICMP messages will not tell you everything that you will need to know about the target system, but still they will give you quite a lot of information. The Echo request message is the ICMP message with a type value of 8 and a code value of 0, while the Echo reply message is the ICMP message with a type value of 0 and a code value of 0. We can use the ICMP Echo Request and Echo Reply messages to determine whether or not the target host is connected to the Internet (is alive) or not.
In order to determine whether the target host is alive or not, all we have to do is send an Echo Request message to the remote system and wait for an Echo reply message. * If the remote system replies with an Echo Reply message, then it means that it is alive and is connected to the Internet. * However, if we do not receive any reply from the remote system, then it probably means that the remote system is not connected to the Internet.
However, one note of caution, it is more than possibility that the target host to whom you send out the Echo request datagram might have a filtering device installed which discards all Echo Request ICMP messages, thus showing that the remote system is not connected to the Internet even though it might as well be connected. Some better firewalls even send out spoofed Echo Replies on encountering such echo requests, thus throwing the malicious intruders off the track. 2. The "traceroute" program also contains a client interface to ICMP. Like the "ping" program, it may be used by a user to verify an end-to-end Internet Path is operational, but also provides information on each of the Intermediate Systems (i.e. IP routers) to be found along the IP Path from the sender to the receiver. Traceroute uses ICMP echo messages. These are addressed to the target IP address. The sender manipulates the TTL (hop count) value at the IP layer to force each hop in turn to return an error message.
This can be avoided (in case of cyber crime) by TTL spoofing which can be achieved by deploying sniffers at the servers which can catch the packet and change the intended value of TTL. This is called as TTL spoofing. Alternatively, by using some programming TTL spoofers can also be made.
6. Case Study

Though the above solution is valid, but many servers have actually implemented many remedies on their servers. Taking the example of the ISPs like, Airtel Broadband Services and Reliance have restricted the packet size to 1472 bytes, beyond this we get an error message “request timed out”.
Not only this, many servers such as Google and Yahoo also implemented some filtering for large packets.
But on the other hand, while sitting with in the network, say a wireless LAN or wired LAN, a packet of 65536 can easily be sent which can destroy any system in that LAN. Almost all corporate companies and universities etc have a live IP, not only this within many of them has their own DHCP servers through which they use a combination of static and dynamic IPs, such networks are always in danger of DDoS attack (network level).
This shows that though there is awareness amongst the ISPs and few web service providers, but the general mass still stands as the potential victims of such attacks.

Bibliography: * RFC 792, Internet Message Transfer Protocol. * ICMP, ping, Wikipedia. * The story of Ping, http://ftp.arl.mil/~mike/ping.html?sess=4f8272bd1e5da03d1a16ba4a69452d93. * Article ID 217014, Microsoft support. * Research Paper by Ofir Arfin.