Tuesday, July 17, 2007

Why is ICMP considered dangerous?

Reply 1)

ICMP is the protocol used by the ping command. Why is it considered dangerous and recommended to be banned by network administrators?

Reply 2)

ICMP Overview –
The Internet Control Message protocol was originally created to allow the reporting of a small set of error conditions. However it is used to implement a wide range of error-reporting, feedback, and testing capabilities. It is a companion protocol added to IP to overcome the flaws in IP like connectionless, unreliable, and unacknowledged. ICMP provides support to IP that allow different types of communication to occur between IP devices. These messages use a common general format and are encapsulated in IP datagrams for transmission. The key concept is in TCP/IP, diagnostic, test, and error-reporting functions at the internetwork layer are performed by the ICMP. The original version, now called ICMPv4, is used with IPv4, and the newer ICMPv6 is used with IPv6. I found a table but have no idea what it says can anyone explain to me. I will research bit more on this.

Table 31-1:

Reply 3)

It’s dangerous because so called term “ping of death ” … which means thousands of ping simultaneously …. may be because of a virus …. can affect .

Reply 4)

Yeps, the primary reason to block ICMP is to avoid any sort of compromise in terms of security of the network. Unblocking ICMP makes life of a hacker very easy to intrude the environment. Secondly, network traffic also increases as ICMP echo is sent to each host on the network in order to identify the open port.

If one does not want block ICMP then NAT (Network Address Translation) might be used which allows only specific IP addresses to connect to the target machine. For instance, if Group policies are not applying due to slow link detection then, ICMP is required to check if any packets are being fragmented.

For more information, refer http://www.microsoft.com/technet/technetmag/issues/2005/01/AnatomyofaHack/

Reply 5)

ICMP can be dangerous because Hackers can use it to map & attack networks. So it needs to be restricted.

Reply 6)

IPSec (IP Security policy) can also be used to block certain ports and protocols. They can allow or deny the incoming/outgoing traffic to target machine.

Reply 7)

Very correct. Following are some reasons which add up to already discussed points in the forum and some are new

1) ICMP can be used to launch Denial of Service attacks (DoS). Mihir touched upon this earlier. This works by overloading a server with a particular (ping) request, in such a way, that the server cannot process anything. Thereby, it is not able to serve its primary goal, of maybe a web server or an Exchange Frond End server. One example of this is Smurf. Someone, please provide some details on this if possible.
2) Using ICMP, hackers can get too much information about a system. This was designed to help troubleshoot network issues, but using it in the wrong way can mean misusing the information. Hackers use the information gained from ICMP to impersonate other systems. Example, SPAM and virus mails are generally never distributed from the spammers or virus creators machines.
3) To make matters work, ICMP was not designed to use authentication. Hence it is all the more vulnerable
4) ICMP also provides OS Fingerprinting. This means that using ICMP, it is possible to know what OS is installed on the target machine. So, the hacker knows that a particular machine has Windows 2003 and using the port scanning feature of ICMP, he can also know which services are running over which port. If he has an exploit ready for this, then God save your server. Hence it also becomes important to install the critical patches released by Microsoft, since they patch the vulnerabilities which they know exist and are known to hackers.


Post a Comment

Subscribe to Post Comments [Atom]

<< Home