Internet Control Message Protocol (ICMP) is an important part of the Internet Protocol (IP) suite. It is a network layer protocol used to send error messages and provide information about network conditions. ICMP is used for various purposes, such as determining whether a host is reachable, determining the round-trip time for a packet, and testing whether a router is functioning properly.
It is also used by routers, switches, and other network devices to communicate with each other. The purpose of ICMP is to provide feedback about the status of the network. This feedback can help network administrators troubleshoot network problems and detect malicious activities.
In this article, we will discuss the fundamentals of ICMP and how it works in the context of the larger network protocol landscape. We will also take a deep dive into how WireX analyzes ICMP to detect and protect against cyber threats.
What Is ICMP
Internet Control Message Protocol (ICMP) is an integral part of the Internet Protocol (IP) suite. It is used to communicate network-level information between network devices. ICMP is a Layer 3 protocol, which means it operates at the network layer of the OSI model. It is responsible for relaying error messages and other information between hosts, routers, and other network devices.
ICMP is used to provide feedback about the health of the network and the ability of a device to reach another device on the network. ICMP messages are sent as a response to an IP packet, and contain information about the status of the connection. For example, if a router is unable to reach a destination, it will send an ICMP message to the source device in order to inform it of the issue. ICMP is also used to send ping messages, which are used to test the reachability of a device. When a ping message is sent, the destination device responds with an echo reply, which is used to confirm that the device is reachable. In addition, ICMP is used to send various other types of messages, such as router advertisement messages and timestamp messages.
Overall, ICMP is an essential part of the IP suite and is used to communicate network-level information between network devices. It is used to provide feedback about the health of the network, to test the reachability of a device, and to send various other types of messages.
What Is The Purpose Of ICMP?
The purpose of ICMP is to provide feedback about the status of a network connection between two nodes. It is a network layer protocol used by network devices, such as routers, to communicate with each other. ICMP is used to determine if a connection is available and to troubleshoot any issues that may arise.
ICMP is used to perform a number of functions, including:
- Error Reporting: ICMP can be used to report errors in a network connection, such as unreachable hosts, packet timeouts, and other communication problems.
- Network Diagnostics: ICMP is also used to diagnose network problems and to detect network congestion. It can be used to test network links and measure round-trip times.
- Network Maintenance: ICMP is also used for network maintenance, such as to notify a host that a router is down or that a link is congested.
- Path Discovery: ICMP can also be used to discover the path between two nodes in a network. This is done by sending out a series of ICMP echo requests and measuring the response time.
Overall, ICMP is an essential protocol for managing and troubleshooting network connections. It is used to report errors, diagnose network problems, and maintain network connections.
Benefits Of ICMP
The primary benefit of ICMP is its ability to provide feedback on the status of a transmission. When a packet is sent, ICMP can provide feedback on whether it was successfully delivered or if it was lost in transit. This feedback allows users to quickly identify and troubleshoot problems with their network connection.
ICMP can also provide information about the network’s congestion levels. This is important for optimizing network performance and ensuring that packets are sent in an efficient manner. By monitoring ICMP messages, network administrators can detect and address network congestion before it becomes a problem.
ICMP also provides a way for network administrators to test the reachability of a host on the network. This is done through the use of “ping” messages, which are sent to the host and then returned with a response. This allows the administrator to determine if the host is reachable and if there are any network issues that need to be addressed.
In summary, ICMP is a powerful and essential part of the Internet Protocol suite. It provides a number of benefits, including feedback on the status of a transmission, information about network congestion, reachability testing, and the ability to detect malicious activity. By leveraging ICMP, network administrators can ensure that their networks are secure and efficient.
Limitations Of ICMP
While ICMP offers many benefits, it also has limitations that must be taken into account when designing a network. One of the main limitations of ICMP is that it is not designed for reliable communication. ICMP messages are not guaranteed to reach their destination, and even if they do, they may not be received in the order they were sent.
Another limitation of ICMP is that it is not designed for security. ICMP messages are sent in plain text, which means they can be intercepted and read by anyone. This makes it vulnerable to man-in-the-middle attacks and other forms of malicious activity.
Finally, ICMP is not designed to be used for large amounts of data. ICMP messages are limited to a maximum of 576 bytes and are not meant to be used for large amounts of data.
While ICMP can be a useful tool for network management, it should not be used for applications that require reliable communication or for transferring large amounts of data.
How Does ICMP Work
ICMP works by sending messages from one host to another, which are then processed by the receiving host. These messages are typically sent to confirm that a connection is working correctly, or to identify any issues that may be present. The messages can be used to determine if a packet is being dropped, or if a router is not working correctly. ICMP messages are sent and received by both hosts and routers.
When a host sends an ICMP message, it includes a header that contains the type of message and the code that indicates the purpose of the message. The header also contains the source and destination addresses of the hosts and the checksum, which is used to verify the integrity of the message.
The body of the ICMP message contains the data that is being sent. This data can include information about the packet, such as its size, the time it was sent, and the type of service it requires. The data can also include information about the network, such as the route it should take and the type of service it requires.
When a host receives an ICMP message, it processes the header and data, and then sends a response back to the source. The response contains the same information as the request, but with a new code, which indicates the result of the request.
Overall, ICMP is an important part of the Internet Protocol suite and is used to provide a variety of services. It is used to confirm connections,and identify and troubleshoot network issues. ICMP is an integral part of the larger network protocol landscape and is used by both hosts and routers.
Security Concerns Of ICMP
While ICMP can be a powerful tool in the hands of a knowledgeable network administrator, it can also be used by malicious actors to gain access to a network or launch denial-of-service attacks.
ICMP is used by attackers to gain access to a network by sending ICMP echo requests to a network device. These requests can be used to determine whether a device is alive, or if it is responding to the request. If the device responds, the attacker can then use the response to gain information about the network.
In addition, attackers can use ICMP to launch denial-of-service (DoS) attacks. A DoS attack is an attack that overwhelms a device with requests, making it unable to respond and rendering it unusable. Attackers can send ICMP echo requests in rapid succession, flooding the target device with requests and preventing it from responding to legitimate requests.
Finally, attackers can use ICMP to gain information about a network. By sending ICMP echo requests, an attacker can determine the type of network devices present, the operating system running on the device, and the network topology. This information can then be used to launch more sophisticated attacks.
For these reasons, it is important to secure ICMP traffic. Network administrators should ensure that ICMP traffic is only allowed from trusted sources, and that ICMP responses are not sent in response to unauthorized requests. Additionally, administrators should be aware of the risks of ICMP and take steps to protect their networks from malicious actors.
Attack Examples using ICMP
ICMP is a network protocol primarily used for diagnostic purposes, such as pinging a network device to test its connectivity. Attacks specifically targeting ICMP are relatively rare, as it is not typically used for transferring data or executing commands. However, there are some attacks that abuse ICMP for malicious purposes, such as a type of denial-of-service (DoS) attack known as an “ICMP flood” or “ping flood”.
In January 2021, it was reported that the website of the Spanish Ministry of Defense had suffered a DDoS attack that disrupted the site’s availability for several hours. The attack was carried out using an ICMP flood, in which the attackers flooded the site with a large number of ICMP packets, overwhelming the server and causing it to crash.
The attackers responsible for the attack remain unknown, and it’s unclear what their motivation was for targeting the Spanish Ministry of Defense. However, the attack demonstrates the potential impact of ICMP flooding and the importance of protecting against DDoS attacks through the use of security measures such as firewalls and DDoS mitigation services.
It’s important to note that ICMP flooding is just one type of attack that can be carried out over ICMP, and that there are other ways in which ICMP can be used maliciously. As with any network protocol, it’s important to properly configure and secure ICMP to prevent abuse and ensure network availability.
How Does WireX Systems provide value by analyzing ICMP
WireX Systems Ne2ition NDR (Network Detection and Response) solutions can help with ICMP investigations by monitoring network traffic and analyzing it for signs of suspicious activity. Here are some ways in which NDR can be used to investigate ICMP attacks:
- Protocol analysis: Ne2ition NDR solutions can analyze ICMP traffic to identify anomalies and unusual patterns of behavior that may indicate an attack. For example, if a large number of ICMP packets are being sent to a particular device or if there is an unusual amount of ICMP traffic, this may indicate an attack.
- Anomaly detection: Ne2ition NDR solutions can use machine learning and other techniques to identify abnormal patterns of ICMP traffic that may indicate an attack. For example, if there is a sudden increase in ICMP traffic during a time when it is not normally high, this may indicate an attack.
- Endpoint detection: Ne2ition NDR solutions can monitor endpoints to detect unusual activity, such as the presence of unauthorized processes or files that are associated with ICMP activity. By correlating endpoint data with network traffic data, NDR can help identify the source of an attack and how it was carried out.
- Threat intelligence: Ne2ition NDR solutions can use threat intelligence feeds to identify known malicious IP addresses, domains, or other indicators of compromise that may be associated with ICMP attacks.
By using these techniques, WireX Systems Ne2ition NDR solutions can help organizations investigate ICMP attacks more quickly and effectively, allowing them to identify the source of an attack and take appropriate action to prevent further damage. However, it’s important to note that ICMP attacks are relatively rare and are typically just one part of a larger attack campaign.
WireX Systems Ne2ition NDR security solution analyzes ICMP to detect malicious activity, such as port scans, denial of service attacks, and other malicious activities. Ne2ition monitors all traffic of its customers and detects any malicious activity. This helps to ensure that the customer is aware of any potential threats and can take steps to mitigate them.
WireX Systems Ne2ition analyzes ICMP traffic, extracts and indexes dozens of different attributes including the ones displays below to provide in-depth visibility and context for detection, response, forensics and hunting scenarios over ICMP:
| Packet Time | Description | Stream packets | Stream size |
| Client Port | Server Port | Payload | Packet time |
| Packet micro seconds | Client port | Server port | Stream packets count |
| Stream packets count (diff) | Stream packet size | Stream packet size (diff) | Stream Pcap |
| Open pcap | Preview | Destination | Destination resolved |
| Address | Source | Source resolved | Address |
| Type | Type text | IPV6 | version |
| ip.version raw | ipv6.tclass_tree | ipv6.tclass.dscp raw | ipv6.tclass.ecn raw |
| ipv6.flow | ipv6.plen | ipv6.nxt | ipv6.hlim |
| ipv6.src | ipv6.addr raw | ipv6.src_host raw | ipv6.host raw |
| ipv6.dst | ipv6.dst_host raw | ipv6.src_sa_mac raw | ipv6.sa_mac raw |
| ipv6.hopopts raw | icmpv6 raw |
MITRE ATT&CK and ICMP
These attributes will help WireX System map into the MITRE ATT&CK framework techniques and tactics:
- T1043: Commonly Used Port: ICMP is a commonly used protocol that is allowed by many firewalls, making it an attractive target for attackers to use as a covert channel.
- T1049: System Network Connections Discovery: Attackers can use ICMP to discover active hosts on a network, and to determine which hosts are currently online.
- T1570: Lateral Tool Transfer: Attackers can use ICMP to transfer tools or other malicious payloads between compromised systems.
- T1571: Non-Standard Port: Attackers can use ICMP to communicate over non-standard ports in order to bypass detection.
More specifically, ICMP attacks could be categorized under the following tactics and techniques:
- Command and Control: ICMP can be used as a covert channel to communicate with a compromised system, allowing attackers to send and receive commands.
- Discovery: Attackers can use ICMP to perform network reconnaissance and mapping, identifying potential targets and vulnerabilities.
Conclusion
In conclusion, ICMP is an important part of the network protocol landscape. It is a powerful tool for network administrators, providing a range of benefits for troubleshooting and monitoring. Monitoring ICMP can be used to detect and protect against malicious activity, though it is important to be aware of the potential security risks it carries.
