Results 1 to 2 of 2

Thread: ICMP (the rejected one)

  1. #1

    ICMP (the rejected one)

    Ok guys, this day is crawling to a halt so I figured I would load your brains with some more useful information. A protocol I wish to bring up is ICMP (Internet Control Message Protocol). This protocol is probably the most understated and annoying one that is out there. It is true that its sole purpose is to notify a client of connectivity issues. Of course, a security standard is to simply filter icmp all together with the outbound router but this isn't the best of solutions. You see, we all have seen the destination unreachable error right? Well in geek it is an icmp type 3 error and has a code right after it. We could use this code in order to find out weither it could be a problem with a host, service, dns, etc... This protocol is not reliable and can be a very good misleader in troubleshooting but it gives you a place to start. Another bad reason to simply filter all icmp packets is that we run into the issue with network congestion. Hosts will not quit trying to ping (icmp type 0/8) because it is not recieving a reply, if fact, it will probably keep trying because it wouldn't even reach a TTL timeout (which is also ICMP) assuming that the router before the final hop doesn't send the error for you. The best bet if you wish to be secure would be to manage and filter only icmp packets that relate specifically to unwanted traffic. Yes, even ping is ICMP (and it may seem cool to make it impossible to ping you, but many proggys use this function for TCP connections, remember the three way shake right?). Note: The coolest thing that I have ever done with ICMP is to route all unknown traffic from the outside to a virtual interface on the inside. This defied the idea of filtering because the router did not have to look up ipchains or access lists. Instead it simply forwarded the traffic as it normally would (to oblivion that is). This saved time both during peak hours and also did away with ICMP. The cool thing about all of this is that I was using a cisco router. With cisco you can create an established command on a static entry that will allow you to forward all traffic to the bit bucket but only allow outside connections to the real network after the connection was already made from the inside (not a permanent or useful solution....just fun) Below is a list of the different types of ICMP types and codes that are associated with it (thanks to iana).

    Type Name Reference
    ---- ------------------------- ---------
    0 Echo Reply

    3 Destination Unreachable

    0 Net Unreachable
    1 Host Unreachable
    2 Protocol Unreachable
    3 Port Unreachable
    4 Fragmentation Needed and Don't Fragment was Set
    5 Source Route Failed
    6 Destination Network Unknown
    7 Destination Host Unknown
    8 Source Host Isolated
    9 Communication with Destination Network is
    Administratively Prohibited
    10 Communication with Destination Host is
    Administratively Prohibited
    11 Destination Network Unreachable for Type of Service
    12 Destination Host Unreachable for Type of Service
    13 Communication Administratively Prohibited
    14 Host Precedence Violation
    15 Precedence cutoff in effect

    4 Source Quench
    0 No Code

    5 Redirect
    0 Redirect Datagram for the Network (or subnet)
    1 Redirect Datagram for the Host
    2 Redirect Datagram for the Type of Service and Network
    3 Redirect Datagram for the Type of Service and Host

    6 Alternate Host Address

    0 Alternate Address for Host

    7 Unassigned

    8 Echo

    9 Router Advertisement

    0 Normal router advertisement
    16 Does not route common traffic

    11 Time Exceeded

    0 Time to Live exceeded in Transit
    1 Fragment Reassembly Time Exceeded

    12 Parameter Problem
    0 Pointer indicates the error
    1 Missing a Required Option
    2 Bad Length

    13 Timestamp
    0 No Code

    14 Timestamp Reply
    0 No Code

    15 Information Request
    0 No Code

    16 Information Reply
    0 No Code

    17 Address Mask Request
    0 No Code

    18 Address Mask Reply

    0 No Code

    30 Traceroute

    31 Datagram Conversion Error
    32 Mobile Host Redirect

    35 Mobile Registration Request

    36 Mobile Registration Reply

    39 SKIP

    40 Photuris
    0 = Bad SPI
    1 = Authentication Failed
    2 = Decompression Failed
    3 = Decryption Failed
    4 = Need Authentication
    5 = Need Authorization



  2. #2
    Good info spider...thanx

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts