Internet Control Message Protocol (ICMP)
The Internet Control Message Protocol (ICMP) is used by a machine to indicate success or failure when communicating with another machine.
- π Host unreachable
- π Port closed
- ...
For instance, if someone tries to send a message using TCP to a closed port, then the server may respond with an ICMP message saying that the port is closed.
ποΈ Port: N/A (encapsulated within IP packets)
πΊοΈ Used by: ping, traceroute...
Header
- 1 byte for "type"
- 1 byte for "code"
- 2 bytes for "checksum of the message"
- 4 bytes for "additional/specific information"
Each code is associated with a type. Here are some of them (code: type). See Control Messages (ICMP) on Wikipedia
-
0: echo reply -
3: destination unreachable -
5: redirect -
8: echo -
11: time exceeded
ICMP vulnerabilities
- Echo request and reply ICMP
π The attacker send an echo request to check if the host is up. The attacker may further attack even if there is no reply, while assuming that the host is up, but the reply help in confirming it. π₯ DoS with a flood of echo requests. β‘οΈ Limit ICMP requests to specific hosts/subnets, as disabling them may be problematic.
- ICMP unreachable
π Used in reconnaissance to gain information on the network (ex: open ports/services...). β‘οΈ Configure hosts to not respond, but it's not recommended.
- ICMP mask reply
π The attacker ask an host about its subnet mask, and may use it to map an internal network. β‘οΈ Configure hosts to not respond. Mostly disabled by default on modern devices.
- ICMP redirection
π Redirect traffic to a target host through a compromised device. π₯ MITM β‘οΈ Disable ICMP Redirect messages.
- ICMP router discovery
π Add false routing entries to the routing table, so that the host send traffic to the wrong destination. β‘οΈ Disable ICMP router messages. Mostly disabled by default on modern devices.