ICMP Category Description
This SonicWALL IPS signature category consists of a group of signatures that can detect and prevent icmp based network traffic. ICMP or Internet Control Message Protocol is a protocol used by networked devices to send diagnostic messages to one another. These devices include network routers, switches, pc's, workstations, servers (mail, web, file, printer), and networked printers, among others. The protocol has legitimate uses, for example, to determine server uptime and responsiveness by monitoring tools and distibuted network authentication services. However, this protocol can be abused to perform Denial of Service (DoS) attacks, distributed denial of service attacks, or to scan a network to gather information for later attack and compromise.
ICMP messages are sent as datagrams reporting an identified connectivity issue and the faulty communication instance involved. The information reported may help troubleshoot or fix the issue. Standard examples of ICMP datagrams include the Time Exceeded error message that a gateway sends back to the source host when a packet takes too long to reach its destination, the Destination Unreachable error message that is sent back when the destination host is not active or too far away, or the Parameter Problem message that is sent back when a gateway or host as trouble processing the header on a datagram. Another common ICMP message is the Echo Request and Echo Response messages that computers send when they ping each other.
ICMP messages require an immediate response by the host receiving the message, making them an attractive tool for hackers who want to tie up networked computers, especially servers that handle a large number of connections. An ICMP message includes a four-tuple, or set of four numbers, directing the computer to the specific connection where the problem occurred. If the four-tuple included in the message matches a connection that the computer has made, depending on the implementation, it will either abort that connection or attempt to fix it by sending the same packet over and over again on that connection. This means that if an attacker can guess an appropriate four-tuple, they can perform a variety of attacks on networked computers. Some attacks do not even require this level of sophistication.
Some common ICMP attacks include:
Because most ICMP attacks are not crippling, the majority of the SonicWALL ICMP signatures are categorized as low priority threats. While icmp traffic may have legitimate uses, it can be misused to collect sensitive information, substantially slow down network traffic and make servers less responsive to requests.
- The "Ping of Death": Packets sent using the standard Internet Protocol Suite have a maximum size of 65536 octets of data. By using an oversized ICMP Echo Request datagram an attacker can cause a system to crash or become unstable simply by pinging it. This usually results in a denial of service for systems trying to connect to that computer. Most operating systems vulnerable to this attack have had patches available, and most new versions of operating systems have not been released with the vulnerability.
- "Hard" Attacks: When a host receives an ICMP error message, it has a choice of attempting to fix the connection or dropping it altogether. Attackers can forge "hard" error messages to trick a computer into dropping connections that have not experienced any errors, as long as they can guess the four-tuple of the targeted connection. "Hard" error messages include the Protocol Unreachable, Port Unreachable, and Destination Unreachable messages. This results in a of denial of service where a client's connections to a server, for example, are terminated prematurely. Most implementation are not configured to be vulnerable to this attack.
- "Source Quench" Attacks: Gateways that are receiving traffic faster than they can process it can return a Source Quench error requesting that the source host decrease the rate at which it is sending packets. Attackers who forge Source Quench messages can cause a computer to slow the rate at which it sends packets on particular connections resulting in dramatically slower performance, and a greater chance that packets will time out before reaching their destination. Attackers launching a Source Quench attack against a server can substantially decrease that server's capacity to handle connections.
- "Packet Too Big" Attacks: If a packet sent by a host is too big for a gateway to process and route and cannot be fragmented into smaller pieces, it returns a Packet Too Big (or "fragmentation needed and DF bit set" error) telling the source host how small a packet must be to be routed correctly. Certain computers react to this message by adjusting the information they send by sending smaller packets. Attackers forging a Packet Too Big error can tell the source host that the maximum size that a gateway can handle is very small, causing the computer to send more packets per unit of information and reducing throughput. This attack, like the Source Quench attack decreases a server's capacity to handle requests.