Network Operations and Control Wiki
Don't have an account?
Register
Advertisement
Register
in: All

XxLG

Edit

Background: Know: ICMP Recognize: Prerequisites - HTTP, SMTP, worm, RPC

Anticipates: Security management vs fault management


Up
Previous

Next

Down


ICMP hazards 1

See also: ICMP hazards 2

ICMP may be blocked

ICMP and security holes

ICMP is not a core service of a network (e.g. HTTP, SMTP, FTP, POP ). However some ICMP message types are necessary for network operators for administrating purposes. After implementing ICMP by some Netops, unfortunately hackers have found ICMP as a good network tool to attack the network users.

Some of the important threats that ICMP attacks may impose are:
  • ICMP packet magnification (or ICMP Smurf)
  • Ping of death
  • ICMP flood attack
  • ICMP nuke attack
For more detailed information about these attacks, please refer to the link address (2) provided in References.

Defenses against malicious attacks:

There are two basic ways to counteract these types of attacks:1. ICMP's traffic can be blocked at the point of origin where Netops run the network. This should be done by administrator of the network.2. ICMP's traffic can be filtered out at the point of receiving the network traffic.Commonly, ICMP traffic is filtered with a [x firewall]. That firewall could be a hardware device such as Cisco PIX, ASA, or a Cisco IOS router(3). Also ICMP can be filtered by using a firewall software. However blocking the ICMP traffic is really not a good idea in some cases. Blocking all ICMP traffic will cause communication problems depending on the application/how the connection is used, in other words it can cause connections to seem like you are waiting forever for things to timeout, or programs will even crash. And will prevent you from being able to complete pings, and tracerouts(4).As an instance, in some cases if you are on windows XP platform and you are blocking ICMP traffic at the point of receiver, you might get "The RPC server is unavailable" error message which is a bug due to the prevention of ICMP traffic(5).As explained above, by preventing the ICMP traffic into the network, we can increase the level of network’s security, however at the same time we are effectively removing some of important control tools for debugging and administrative purposes which might be important.

References

(1) http://www.symantec.com/security_response/writeup.jsp?docid=2003-081815-2308-99(2) http://www.techrepublic.com/article/prevent-hacker-probing-block-bad-icmp-messages/5087087(3) http://www.techrepublic.com/blog/networking/filter-icmp-traffic-in-the-cisco-ios/515(4) http://www.dslreports.com/forum/r16750439-Good-idea-to-block-incoming-ICMP-traffic-(5) http://support.microsoft.com/kb/884564

Community content is available under CC-BY-SA unless otherwise noted.
Advertisement

Fan Feed

More Network Operations and Control Wiki