ICMP - Mitigating Vulnerabilities

The ICMP protocol is a useful supporting protocol that is used by network devices to exchange operational information and error messages. ICMP does have vulnerabilities that can be exploited by malicious attackers. However, there are certain strategies that can be used to mitigate against these vulnerabilities.

Arguably the most effective strategy (and simplest to employ) is to disable responses to ICMP completely on network devices, such as routers or switches. You will often see this approach on routers that are found on the Internet. If you have done a Traceroute to a destination on the Internet, you may see that some hops along the way don’t respond. This is because they have been configured not to respond to ICMP messages for security reasons.

Now this solution is not always preferable because you may want to have utilities such as ping and traceroute available for troubleshooting. Or you may have services and mechanisms in place that use ICMP, like certain monitoring tools, or Path MTU Discovery (PMTUD), that will not function if you disable responses to ICMP.

There are two primary approaches:

If you choose to disable ICMP completely, then you must use other methods to troubleshoot. This can include using tools like:

  • traceroute with TCP or UDP - On Linux for example, the traceroute command by default uses UDP, not ICMP. You can use traceroute -T which will conduct a “traceroute-like procedure” using TCP instead.
  • TCP and UDP port scans can also be used to determine if devices are active and listening to those particular ports
  • On a local network, you can use ARP to find the MAC address associated with a particular IP address, and thus you can also identify which devices are currently active on the local network.
  • Monitoring tools - Using SNMP, NetFlow, or other network monitoring tools and protocols, you can determine device connectivity without using ICMP.
  • Other options include using DNS queries, SSH, Telnet, and application-level health checks.

The other approach is to not disable ICMP but to implement strategies that will help mitigate the risks associated with ICMP while still maintaining its benefits. This approach can include:

  • Selectively filtering ICMP traffic based on ICMP message types and geographical blocking of particular IP addresses
  • Rate limiting ICMP packets to avoid DoS attacks using mechanisms such as Control Plane Policing (CoPP)
  • Actively monitor ICMP traffic on the network to preemptively deal with attacks

There is no single best solution for all cases, it should be examined on a case by case basis. Disabling ICMP completely is easiest, but if you need ping and traceroute for troubleshooting (as well as for other possible features) then the alternative is to mitigate any such attacks as described above.

https://networklessons.com/cisco/ccnp-encor/icmp-internet-control-message-protocol