How to prevent ICMP-based network attacks
Many cyber attacks are based on ICMP protocols. In the following article, we will first introduce the ICMP protocol, and then explore common ICMP-based network attacks, and finally analyze how firewalls can prevent and mitigate the hazards caused by this attack. How to prevent network attacks based on ICMP ■ Author: Nathan Ashelman ICMP (Internet Control Message Protocol, Internet Control Message Protocol) protocol IP protocol used to provide control services, allowing router or destination host to provide feedback information to the sender of the data. The case where it is necessary to send feedback information. The ICMP protocol is part of the IP protocol, and any device that implements IP protocols is also required to implement ICMP protocol. Format of the ICMP protocol As shown in Figure 1, the ICMP protocol header is located after the IP data clamp, which uses types and code to distinguish different control messages. So far, people have defined 27 different ICMP types. The ICMP code is used to distinguish between different ICMP subtypes, and Figure 2 lists commonly used ICMP types. After the ICMP data is located after the ICMP protocol header, the length of the data corresponding to different ICMP types is also different. Usually ICMP data contains information of the original packet, the reported error or data used to test. Figure 1: ICMP package structure
IP header (20 BYTES)
TYPE (1 byte)
Code (1 byte)
Checksum (2 bytes)
Content Varies Depending On Type (Variable Bytes)
Figure 2: Common ICMP Message Types
Types of
description
use
0
Echo reply
Used to answer the type 8, return the data to the sender
3
Destination unreachable
Packets cannot be further sent
4
Source quench
Used to indicate the sender to reduce data transmission rate
5
REDIRECT
Used to change the default route
8
Echo request
Use the ping command to test the connectivity of the network
9
Router Announcement
Notify the host of the router located on the local subnet
10
Router Solicitation
Request router to send Routers Announcement
11
TTL EXCEEDED
The packet cannot be sent because the TTL value is invalid.
12
Parameter Problem
The packet is deleted because the IP header information is incorrect.
The ICMP type belongs to the ping command to test the connectivity of the network. An ICMP Echo Request can contain 64K data. After it is sent, the recipient returns an ICMP Echo Reply, and the returned data contains copies of received data. Common ICMP Attacks can be divided into three categories based on ICMP, and can be classified as a DOS, DENIAL OF Service: for bandwidth DOS attacks, using useless data to exhaust network bandwidth; for host DOS attack, attack the vulnerability of the operating system; to terminate existing network connections for the connected DOS attack. Pingflood, Pong, Echok, Flushot, Fraggle and Bloop are commonly used ICMP attack tools. By transmitting a large number of ICMP ECHO Reply packets at high speeds, the bandwidth of the target network will be exhausted, and the legal data is blocked by the network. The ICMP Echo Reply packet has a high priority. In general, the network always allows the internal host to use the ping command. This attack is limited to attack network bandwidth, and a single attacker can initiate this attack. Most of the attack forms, such as Smurf and PAPA-Smurf, enabling the hosts in the entire subnet to attack the target host, thereby expanding the ICMP traffic. Using the appropriate routing filter can partially prevent such attacks, if this attack is completely prevented, a state-free firewall is required. "Ping of death" and its related attacks use the host operating system vulnerability directly to initiate attacks. By sending an illegal ICMP Echo Request packet, you can make the target system crashes or restarted. Many systems include Windows, UNIX, Macintosh, and even some routers and printers are easily subject to such attacks. If the version of the operating system used by the user is too old, make sure that the patch is made. Such an attack includes Pinger, PingexPloit, Jolt, Jolt2, Sping, SSPING, Icenewk, and ICMPBUG. A firewall that can perform detailed packet integrity detection can prevent all of this type of attack. DOS attacks for network connections affect all IP devices because it uses legal ICMP messages. Nuke terminates legitimate network connections by sending a fake ICMP Destination Unreachable or Redirect message. More malicious attacks, such as puke and smck, send a large number of packets to ports within a range, destroy a large number of network connections, while also consume clock cycles of the host CPU. There are also some attacks using the ICMP Source quench message, which causes network traffic to slow down, and even stop. Redirect and Router Announcement messages are utilized to enforce the host using a router that does not exist, or routes the packet to the attacker's machine to attack. The DOS attack for the connection cannot be resolved by playing patches. By filtering the appropriate ICMP message type, the firewall prevents such attacks. Choosing the right firewall effectively prevents ICMP attacks, the firewall should have status detection, meticulous packet integrity check, and a good filter rule control function. The status detection firewall dynamically allows the response information of the outgoing packet into the network protected by the firewall by tracking its connection state. For example, the status detection firewall can record one out of PING (ICMP Echo Request), in the next determined period of time, ICMP Echo reply allows the target host response directly to the previous IP, in addition to this Other other ICMP Echo Reply messages will be blocked by the firewall.
In contrast to this, the firewall of the package filter type allows all ICMP ECHO Reply messages to enter the network protected by the firewall. Many routers and Linux kernel 2.2 or previously versions of firewall systems belong to packet filtering, users should avoid choosing these systems. New attacks continue to appear, firewalls can only prevent known attacks far enough. Delete the illegal data packets, the firewall can prevent known and unknown DOS attacks. This requires the firewall to be able to perform packet consistency checks. Security policies need to be detailed for ICMP. Therefore, the firewall should allow filtering the ICMP type, code, and packet size, and can control the connection time and the generating rate of the ICMP package. Configuring a firewall to prevent attacks Once the right firewall is selected, users should configure a reasonable security policy. The following is a universally approved firewall security configuration convention, which can be used for administrators to trade between system security and ease of use. The firewall should enforce an default rejection strategy. In addition to the outbound ICMP Echo Request, the outbound ICMP Source quench, the station TTL Exceeded and the inbound ICMP Destination Unreachable, all ICMP messages should be blocked. Below is a detailed analysis of filtering rules for each ICMP message type. Echo Request and Reply (Types 8 and 0): Allow the Echo Request message outbound to facilitate the internal user to ping a remote host. Blocking the inbound Echo Request and the outbound Echo Reply prevents the host from scanning the internal network. If you use a monitor in an external network to monitor the internal network, you should only allow Echo Request from specific external IP to enter your network. Limiting the size of the ICMP ECHO package prevents "ping floods" attacks, and can prevent those Trojans that use echo request and reply to "smuggle" data through the firewall. Destination Unreachable (Type 3): Allows its inbound to facilitate internal network users to use TraceRoute. It should be noted that some attackers can use it to make DOS attacks for sessions, if you have experienced similar attacks, you can also block it. Block out of the ICMP Destination Unreachable message because it may leak the structure of the internal network. However, there is an exception to Destination Unreachable that allows external networks to access internal hosts (such as web servers located in the DMZ zone), should be allowed to pass. In order to support "Path MTU Discovery", you should allow the "Packet TOO BIG" message (Type 3, Code 4) to be extended to those hosts. Source quench: Blocking its inbound because it can be used as a DOS attack, can reduce the sender's transmission speed. Allows its outbound to facilitate the speed of the transmitting data to transmit data. Some firewalls ignore all Source quench messages sent directly to the firewall port to prevent DOS attacks for the firewall. Redirect, Router Announcement, Router Selection: These messages have potential dangers because they can be used to redirect data to the attacker's machine. These messages should be blocked. TTL Exceeded (Type 11): Allows it to enter to facilitate internal users to use Traceroute.
