What Is the Internet Control Message Protocol?
ICMP is an abbreviation for "InternetControlMessageProtocol". It is a sub-protocol of the TCP / IP protocol family and is used to transfer control messages between IP hosts and routers. Control messages refer to messages from the network itself, such as network connectivity, host availability, and route availability. Although these control messages do not transmit user data, they play an important role in transmitting user data.
- The full name of ICMP is
- The Internet Control Information Protocol (ICMP) is an integrated part of the IP group. ICMP information transmitted over IP packets is mainly used for unreachable information involving network operations or erroneous operations. ICMP packet sending is unreliable, so the host cannot rely on receiving ICMP packets to solve any network problems.
- The ICMP protocol is extremely important for network security. The characteristics of the ICMP protocol make it very easy to be used to attack routers and hosts on the network. For example, in August 1999, when Hisense Group rewarded RMB 500,000 for testing the firewall, its firewall suffered ICMP attacks as many as 334,050, accounting for more than 90% of the total attacks! It can be seen that the importance of ICMP must not be ignored!
- For example, you can use the rule that the maximum size of ICMP packets specified by the operating system does not exceed 64KB to launch a "Ping of Death" attack on the host. The principle of the "Ping of Death" attack is: if the size of the ICMP packet exceeds the upper limit of 64KB, the host will have a memory allocation error, which will cause the TCP / IP stack to crash and cause the host to crash.
- In addition, sending ICMP packets to the target host for a long time, continuously, and in large quantities will eventually paralyze the system. A large number of ICMP data packets will form an "ICMP storm", causing the target host to consume a large amount of CPU resources for processing and be exhausted. [1]
- ICMP messages are at the IP layer, usually from an ordinary IP that generated an ICMP response.
- The following code is debugged under Visual Studio 2008 + Windows 7.
- lpsz specifies the first address of the packet to be calculated, and _dwSize specifies the length of the packet.
- int CalcCheckSum (
- Choose the right firewall
- To effectively prevent ICMP attacks, the firewall should have stateful inspection, detailed packet integrity check, and good filtering rule control functions.
- The following is a detailed analysis of the filtering rules for each ICMP message type.
- Echo Request and Reply (types 8 and 0):
- Echo Request messages are allowed outbound so that internal users can ping a remote host. Blocking inbound Echo Request and outbound Echo Reply prevents hosts on the external network from scanning the internal network. If you use a monitor located on an external network to monitor your internal network, you should only allow Echo Requests from specific external IPs to enter your network. Limiting the size of the ICMP Echo packet can prevent "Ping Floods" attacks, and can prevent Trojans that use Echo Request and Reply to "smuggle" data through the firewall.
- Destination unreachable (type 3):
- Allow it inbound so that intranet users can use traceroute. It should be noted that some attackers can use it to conduct DoS attacks against sessions, and if you have experienced similar attacks, you can also stop it. Block outbound ICMP Destination unreachable messages because it may leak the structure of the internal network. There is one exception. For unreachable Destinations issued by internal hosts (such as Web servers located in the DMZ zone) that allow external network access through TCP, it should be allowed to pass. To be able to support "Path MTU Discovery", you should allow outbound "Packet Too Big" messages (type 3, code 4) to reach those hosts.
- Source quench (type 4):
- Block it inbound, because it can be used as a DoS attack, which can reduce the speed of the sender. Allow it to outbound so that the internal host can control the speed at which the sender sends data. Some firewalls ignore all Source Quench messages sent directly to the firewall port to prevent DoS attacks against the firewall.
- Redirect (types 5, 9, 10):
- Redirect, Router announcement, Router selection (types 5, 9, 10): These messages are potentially dangerous because they can be used to redirect data to the attacker's machine. These messages should be blocked.
- TTL exceeded (type 11):
- Allow it to pit in so that internal users can use traceroute. "Firewalking" uses a very low TTL value to scan the network, and can even scan the internal network through a firewall, so it should be prohibited from outbound. Some firewalls can prevent packets with a TTL value less than the set value from entering the firewall.
- Parameter problem (type 12):
- Forbidden inbound and outbound. By using a firewall capable of packet consistency checking, both erroneous and malicious packets are blocked.