ICMP - Vulnerabilities

MTU - Path MTU Discovery (PMTUD)


The [ICMP](/icmp) protocol is a useful supporting protocol that is used by network devices to exchange operational information and error messages.  ICMP does have [vulnerabilities](/icmp-vulnerabilities) that can be exploited by malicious attackers.  However, there are certain strategies that can be used to mitigate against these vulnerabilities.

Arguably the most effective strategy (and simplest to employ) is to disable responses to ICMP completely on network devices, such as routers or switches. You will often see this approach on routers that are found on the Internet. If you have done a [traceroute](/traceroute) to a destination on the Internet, you may see that some hops along the way don’t respond. This is because they have been configured not to respond to ICMP messages for security reasons.

Now this solution is not always preferable because you may want to have utilities such as [ping](/ping) and traceroute available for troubleshooting.  Or you may have services and mechanisms in place that use ICMP, like certain monitoring tools, or Path [MTU](/mtu) Discovery ([PMTUD](/mtu-path-mtu-discovery-pmtud)), that will not function if you disable responses to ICMP.

There are two primary approaches:

1. If you choose to disable ICMP completely, then you must use other methods to troubleshoot. This can include using tools like:
    - traceroute with [TCP](/tcp) or [UDP](/udp) - On Linux for example, the `traceroute` command by default uses UDP, not ICMP. You can use `traceroute -T` which will conduct a “traceroute-like procedure” using TCP instead.  
	* TCP and UDP [port](/transport-layer-port-number) scans can also be used to determine if devices are active and listening to those particular ports
    - On a local network, you can use [ARP](/arp) to find the [MAC address](/mac-address) associated with a particular [IP](/ipv4) address, and thus you can also identify which devices are currently active on the local network.
    - Monitoring tools - Using [SNMP](/snmp-simple-network-management-protocol), [NetFlow](/netflow), or other network monitoring tools and protocols, you can determine device connectivity without using ICMP.
    - Other options include using [DNS](/dns) queries, [SSH](/ssh), [Telnet](/telnet), and application-level health checks.
2. The other approach is to not disable ICMP but to implement strategies that will help mitigate the risks associated with ICMP while still maintaining its benefits. This approach can include:
    - Selectively filtering ICMP traffic based on ICMP message types and geographical blocking of particular IP addresses
    - Rate limiting ICMP packets to avoid DoS attacks using mechanisms such as [Control Plane Policing (CoPP)](/control-plane-policing-copp)
    - Actively monitor ICMP traffic on the network to preemptively deal with attacks

There is no single best solution for all cases, it should be examined on a case by case basis. Disabling ICMP completely is easiest, but if you need ping and traceroute for troubleshooting (as well as for other possible features) then the alternative is to mitigate any such attacks as described above.


Links:

https://forum.networklessons.com/t/icmp-internet-control-message-protocol/1274/84?u=lagapidis

https://networklessons.com/cisco/ccnp-route/icmp-internet-control-message-protocol

ICMP - Mitigating Vulnerabilities

Ethernet - speed and duplex settings on an ISR4431

Ethernet CSMA-CD

Ethernet VPN (EVPN)

Ethernet administrative and operational encapsulation

Ethernet administrative operational mode

Ethernet frame types

Ethernet header

Ethernet over IP (EoIP)

Ethernet

FHRP - interaction with routing protocols

FHRP Communication Between Redundant Routers

FHRP Load Balancing Behavior

FHRP Protocols

FHRP communication path of keepalives

Fiber optic types

Fiber optics - Multi mode fiber optics characteristics

Fiber optics - Single mode fiber optics characteristics

Fiber optics - color coding

Fiber optics - connectors

FlexVPN Hub and Spoke backup routes

FlexVPN redundant hub with dual cloud

FlexVPN spoke to spoke communication fails with IPSec tunnel

FlexVPN

Frame Relay - is it a relevant technology anymore

Frame-Relay - emulating a Frame-Relay switch

Frame-Relay DLCI values

GNS3 how to obtain Cisco IOS images

GRE - Recursive routing error - AD solution

GRE - Recursive routing error - filtering solution

GRE - Recursive routing error

GRE - Tunnel Addressing

GRE MTU settings

GRE and IPSec

GRE tunnel and multicast

GRE tunnel key operation with only one tunnel key configured

GRE tunnel key

GRE tunnels and how they transmit multicast packets

HSRP - standby group numbers

HTTP - viewing HTTP messages in Wireshark

Hardware - Application Specific Integrated Circuit (ASIC)

High-Level Data Link Control (HDLC)

Home lab computer requirements

Hot Standby Router Protocol (HSRP)

How to practice labbing - best practices

How to prepare for Cisco DNA

IANA

ICANN

ICMP - response to a ping that is blocked by an ACL

ICMP codes and types

ICMP

IEEE

IETF

IGMP - Snooping Querier Election

IGMP - Snooping Querier

IGMP - access group

IGMP - fast leave

IGMP - filtering using ACLs

IGMP - ip igmp snooping querier command

IGMP - membership report

IGMP - using VLAN access maps to filter multicast traffic

IGMP Snooping internal interface

IGMP default IOS configurations

IGMP last member query interval

IGMP membership query max response time

IGMP membership reports destination

IGMP report suppression

IGMP snooping prevents report suppression

IGMP snooping source IP address for messages

IGMP snooping

IGMP version 1 how hosts stop receiving multicast traffic

IGMP

IGMPv2 - leave group message mechanism

IGRP

IOS - Configuration Archive and Rollback

IOS - Right To Use (RTU) License

IOS - ip http server

IOS - licensing

IOS - show license command

IOS - using ftp or tftp source-interface command

IOS configuration register

IOS install mode vs bundle mode

IOS key chain feature

IP - When is the TTL decremented in a router

IP Address Management (IPAM) Tools

IP Addressing on a Router

IP Fragmentation - effects on network traffic

IP Fragmentation Attack

IP Routing table - process by which entries are matched

IP SLA - Route Flapping Problem

IP SLA Parameters

IP SLA tracking syntax

IP addressing on a Switch

IP routing table - candidate default route

IP routing table - default route

IP routing table - static route

IPSec - Authentication Header (AH)

ICMP - Mitigating Vulnerabilities

Links to this page: