Internet Control Message Protocol

Typical messages are as follows:

The ICMP protocol is heavily used by crackers as a reconnaissance tool to map a target’s network. Echo messages are sent to a computer on a network. If the host sends back an Echo Reply, the cracker knows not only of the computer’s existence but also that it potentially can be exploited. For this reason, network administrators have started blocking incoming “icmp data” on their network’s firewalls.

Consequently, crackers have reacted by using other tricks. For example, an http connection to a target is attempted, but the TimeToLive field is set so that a destination-unreachable ICMP message will be triggered. Typically, outgoing ICMP messages are allowed by network administrators as a legitimate function of the ICMP protocol; thus, the attempted reconnaissance succeeds.

Redirect messages can also be used to sabotage routing tables. Correctly used Redirect messages tell the routers that there are better paths through the network to a destination, and they do so by announcing, “Next time you try to reach the destination, use this IP address instead.” This feature is put to malicious use by crackers sending wrong announcements to the routers to disrupt traffic, redirect it to a compromised machine to gather further intelligence, or to tamper with the message before it is sent on.

See Also: Administrator; Internet Protocol (IP); Network.