Background: Know: ICMP Recognize: Prerequisites - HTTP, SMTP, worm, RPC
Anticipates: Security management vs fault management
Up | ||
Previous | ||
Down |
ICMP hazards 1
See also: ICMP hazards 2
ICMP may be blocked
ICMP and security holes
ICMP is not a core service of a network (e.g. HTTP, SMTP, FTP, POP ). However some ICMP message types are necessary for network operators for administrating purposes. After implementing ICMP by some Netops, unfortunately hackers have found ICMP as a good network tool to attack the network users.
- ICMP packet magnification (or ICMP Smurf)
- Ping of death
- ICMP flood attack
- ICMP nuke attack
Defenses against malicious attacks:
There are two basic ways to counteract these types of attacks:1. ICMP's traffic can be blocked at the point of origin where Netops run the network. This should be done by administrator of the network.2. ICMP's traffic can be filtered out at the point of receiving the network traffic.Commonly, ICMP traffic is filtered with a [x firewall]. That firewall could be a hardware device such as Cisco PIX, ASA, or a Cisco IOS router(3). Also ICMP can be filtered by using a firewall software. However blocking the ICMP traffic is really not a good idea in some cases. Blocking all ICMP traffic will cause communication problems depending on the application/how the connection is used, in other words it can cause connections to seem like you are waiting forever for things to timeout, or programs will even crash. And will prevent you from being able to complete pings, and tracerouts(4).As an instance, in some cases if you are on windows XP platform and you are blocking ICMP traffic at the point of receiver, you might get "The RPC server is unavailable" error message which is a bug due to the prevention of ICMP traffic(5).As explained above, by preventing the ICMP traffic into the network, we can increase the level of network’s security, however at the same time we are effectively removing some of important control tools for debugging and administrative purposes which might be important.
References
(1) http://www.symantec.com/security_response/writeup.jsp?docid=2003-081815-2308-99(2) http://www.techrepublic.com/article/prevent-hacker-probing-block-bad-icmp-messages/5087087(3) http://www.techrepublic.com/blog/networking/filter-icmp-traffic-in-the-cisco-ios/515(4) http://www.dslreports.com/forum/r16750439-Good-idea-to-block-incoming-ICMP-traffic-(5) http://support.microsoft.com/kb/884564