You are on page 1of 55

 i. ii.

       

Introduction. ICMP Position. ICMP Packets. Basic Functionality. Header Format. ICMP Functions. ICMP Message Classes. Types of Messages. ICMP Applications- Ping, Trace route. Issues. Conclusion.


ICMP is an “error reporting” protocol.
ICMP is part of Internet protocol suite and is defined in “RFC 792”. It corrects the network problems as a whole but does not correct the individual packet problems.

ICMP is a complementary protocol to IP that resides on the network layer. ICMP is a communication protocol between IP protocol implementations on two connected systems. It provides feedback to sender on problems as well as internet settings such subnet masks.

ICMP packets are sent in IP datagrams.  Two levels of encapsulation occur when an ICMP message is transmitted across a physical network.
ICMP Header ICMP Data Area

IP Header

IP Data Area

Frame Header

Frame Area

 

Host A

IP Datagram

Host B

But problem in Router R3 R3
ICMP message

Host A

ICMP has fixed header of 4 bytes

- Type Type of message
- Code Subtype of message - Checksum 1’s complement computed over entire ICMP message - Checksum set to zero

Announce Network Errors :
A kind of failure causes a host or the entire network to be unreachable.

Announce Network Congestion :
Too many packets are buffered by the router, but it cannot transmit them at the same speed which causes network congestions.

Assist Troubleshooting :
ICMP supports an Echo function which sends a packet on a roundtrip between two hosts

Announce Time outs: If an IP packet’s TTL field drops to zero the router discards that packet and generates ICMP indicating this fact.

Error Messages: These messages are used to provide feedback to a source device about an error that has occurred. They are usually generated specifically in response to some sort of action, usually the transmission of a datagram. Errors are usually related to the structure or content of a datagram, or to problem situations on the internetwork encountered during datagram routing.

Informational (or Query) Messages: These are messages that are used to let devices exchange information, implement certain IP-related features, and perform testing. They do not indicate errors and are typically not sent in response to a regular datagram transmission. They are generated either when directed by an application, or on a regular basis to provide information to other devices. An informational ICMP message may also be sent in reply to another informational ICMP message, since they often occur in request/reply or solicitation/advertisement functional pairs.

ICMP Message Types
Type 0 3 4 5 8 9 10 11 12 13 14 15 16 17 18 Description ICMP Message Types Echo Reply (Ping Reply, used with Type 8, Ping Request) Destination Unreachable Source Quench Redirect Echo Request (Ping Request, used with Type 0, Ping Reply) Router Advertisement (Used with Type 9) Router Solicitation (Used with Type 10) Time Exceeded Parameter Problem Timestamp Request (Used with Type 14) Timestamp Reply (Used with Type 13) Information Request (obsolete) (Used with Type 16) Information Reply (obsolete) (Used with Type 15) Address Mask Request (Used with Type 17) Address Mask Reply (Used with Type 18)

Message Types Contd….
The DESTINATION UNREACHABLE message is used when the subnet or a router cannot locate the destination.

The TIME EXCEEDED message is sent when a packet is dropped because its counter has reached zero. This event is symptom that packets are looping, that there is enormous congestion, or that the timer values are being set too low.
The PARAMETER PROBLEM message indicates that an illegal value has been detected in a header field. This problem indicates a bug in the sending host’s IP software or possibly in the software of a router transited. The SOURCE QUENCH message was formerly used to throttle hosts that were sending too many packets. When a host received this message, it was expected to slow down. It is rarely used any more when congestion occurs.


If a router finds that a network is congested, router sends ICMP source quench message to the source. The source then sets the window size to minimum after receiving this message.

Message Types Contd…
The REDIRECT MESSAGE is used when a router notices that a packet seems to be routed wrong. It is used by the router to tell the sending host about the probable error. The ECHO and ECHO REPLY messages are used to see if a given destination is reachable and alive. Upon receiving the ECHO message, the destination is expected to send an ECHO REPLY message back. The TIMESTAMP REQUEST and TIMESTAMP REPLY messages are similar, except that the arrival time of the message and the departure time of the reply are recorded in the reply. This facility is used to measure network performance.


Destination Unreachable Codes
Code 0 1 2 3 4 5 6 7 Definition Net Unreachable Host Unreachable Protocol Unreachable Port Unreachable Fragmentation needed & Don’t Fragment was set Source Route failed Destination Network Unknown Destination Host Unknown

9 10 11 12 13 14 15

Source Host Isolated
Communication Destination Network is Administratively Prohibited Communication Destination Host is Administratively Prohibited Destination Network Unreachable for Type of Service Destination Host Unreachable for Type of Service Communication Administratively Prohibited Host Precedence Violation Precedence Cutoff Violation

Redirect Codes

Code 0 1 2 3

Definition Redirect Datagram for the Network (or subnet) Redirect Datagram for the Host Redirect Datagram for the Type of Service & Network Redirect Datagram for the Type of Service & Host


Time Exceeded Codes
Code Definition


Time to Live Exceeded in Transit
Fragment Reassembly Time Exceeded

Parameter Problem Codes
Code 0 1 2 Definition Pointer Indicates the Error Missing a Required Option Bad Length

The two important applications based on ICMP are:

PING Traceroute


A program for checking if host is alive Exists in most Operation Systems Sends ICMP message of type Echo Request

 

Receiver answers with ICMP messages of type Echo Reply Format:  Ping ip address.  Ping

What Ping can tell you?

  

If packets have been dropped, duplicated or reordered. Detects some forms of damaged packet. Round Trip Time (RTT): How long each packet exchange took. Other ICMP messages.

What a Ping cannot tell:

 

Ping cannot provide reasons why packets go unanswered. Ping cannot tell why a packet was damaged, duplicated or delayed. Ping can not give you a blow-by-blow description of every host that handled the packet and everything that happened at every step of the way.


The PING utility is actually an ICMP Echo process. An ICMP Echo Request packet consists of an Ethernet header, IP header, ICMP header, and some undefined data. This packet is sent to the target host, which echoes back that data, as shown in Figure 4-1. The ICMP echo request is a connectionless process with no guarantee of delivery.




  

Traceroute measures the number of hops required to reach a destination. It sends an IP packet with Time To Live(TTL) set to 1. When a router decrements the TTL to zero, it discards the packet and sends an ICMP packet to the source to inform it of the problem. Repeats this with increasing number TTL values.

Maximum Transmission Unit(MTU)

When a router receives a datagram, that is larger than the MTU of the network over which it is to be sent, the router divides the datagram into smaller pieces called Fragments.

An IP datagram divided into three fragments. Each fragment carries some data from the original datagram, and has an IP header similar to the original datagram.

 

Another application of ICMP is to determine the MTU along a path. Sending packets with the “do not fragment” flag will cause a node to send an ICMP message back to the source when a packet needs to be fragmented. This ICMP message includes the maximum packet size allowed at that point. IP can adjust to sending packets that wont fragment along the way.


ICMP redirect messages can be used to trick routers and hosts acting as routers into using “false'' routes; these false routes would aid in directing traffic to an attacker's system instead of a legitimate trusted system.

This could in turn lead to an attacker gaining access to systems that normally would not permit connections to the attacker's system or network.
Older versions of UNIX could drop all connections between two hosts even if only one connection was experiencing network problems.

Smurf DoS Attack
1 ICMP Echo Req Src: Dos Target Dest: brdct addr DoS Source 3 ICMP Echo Reply Dest: Dos Target


DoS Target

 

Send ping request to broadcast addr (ICMP Echo Req) Lots of responses: › Every host on target network generates a ping reply (ICMP Echo Reply) to victim › Ping reply stream can overload victim

Disable IP-directed broadcasts at your leaf routers: to deny IP broadcast traffic onto your network from other networks (in particular from the Internet) A forged source is required for the attack to succeed. Routers must filter outgoing packets that contain source addresses not belonging to local sub networks.

ICMP is an error reporting and network management system. ICMP provides vital feedback about IP routing and delivery problems Although ICMP messages fall within various well-documented types, and behave as a separate protocol at the TCP/IP Network layer, ICMP is really part and parcel of IP itself, and its support is required in any standards-compliant IP implementation

1. Where is ICMP placed in the OSI model?
 Next to IP in the network layer

2. Can ICMP report error in ICMP messages itself?
 No.

3. What are the two most important applications of ICMP?  PING  TraceRoute

4. What are the two message classes in ICMP?  Error messages  Information messages

  

  p.shtml rts/usenix98/presentation/sld008.htm

Thank You