ICMP - Mitigating Vulnerabilities


[ICMP](/icmp) is a [Network layer](/osi-model) protocol used by network devices to exchange error messages and operational information.  Some of the most well known diagnostic tools that leverage ICMP include [Ping](/ping) and [Traceroute](/traceroute).  

Despite its utility for diagnostic and control purposes, ICMP can be exploited in several types of network attacks. Here are some of the common network attacks that leverage ICMP:

1. **Ping Flood**: This is a type of Denial of Service (DoS) attack where the attacker overwhelms the target with ICMP Echo Request (ping) packets. This can consume both outbound and inbound bandwidth, causing network congestion or slowing down the target's internet connection, potentially rendering it unresponsive.

2. **Ping of Death**: In this attack, the attacker sends malicious pings to a target. These ICMP packets are oversized or malformed, exploiting vulnerabilities in older, less secure systems. The goal is to cause the target system to freeze, crash, or reboot because of buffer overflows or other failures in handling these packets.

3. **ICMP Smurf Attack**: This is a reflection-based network amplification attack. The attacker sends ICMP Echo Request packets to a network's [broadcast address](/ipv4-network-and-broadcast-addresses) with the source IP [spoofed](/security-spoofing) to the target's [IP](/ipv4) address. All hosts on the broadcast network respond to the Echo Request, overwhelming the target with ICMP Echo Reply packets.

4. **ICMP Redirect Attack**: This involves an attacker sending ICMP redirect messages to network devices. By doing so, the attacker can alter the [routing tables](/routing-table) of the devices, potentially redirecting traffic through a malicious network device for eavesdropping or data modification.

5. **ICMP Tunneling**: Although more of a method for bypassing network security measures than an attack per se, ICMP tunneling encapsulates data within ICMP packets to sneak through firewalls or evade network monitoring tools that might not scrutinize ICMP traffic as closely as other protocols.

6. **ICMP Flood Attack**: Similar to a Ping Flood, this broader category of DoS attack involves sending a large number of ICMP packets without waiting for replies. Various ICMP message types can be used, not just Echo Request messages.

7. **Traceroute Flood**: Utilizing the ICMP Time Exceeded messages generated by routers in response to packets with expired [TTL (Time To Live)](/ip-when-is-the-ttl-decremented-in-a-router), an attacker can flood a target with these indirect ICMP messages by initiating traceroute processes with spoofed source IP addresses.

These attacks exploit the fundamental mechanisms and features of ICMP for malicious purposes. Mitigating such attacks often involves configuring [firewalls](/asa) and [intrusion prevention systems](/intrusion-prevention-system-ips) to monitor and limit ICMP traffic, ensuring systems and devices are updated to patch known vulnerabilities, and implementing rate limiting and anti-spoofing measures. 

For more information, take a look at [ICMP - Mitigating Vulnerabilities](/icmp-mitigating-vulnerabilities) to see how to deal with some of these security issues.

Links:

https://networklessons.com/cisco/ccnp-route/icmp-internet-control-message-protocol

ICMP - Vulnerabilities

Ethernet CSMA-CD

Ethernet VPN (EVPN)

Ethernet administrative and operational encapsulation

Ethernet administrative operational mode

Ethernet frame types

Ethernet header

Ethernet over IP (EoIP)

Ethernet

FHRP - interaction with routing protocols

FHRP Communication Between Redundant Routers

FHRP Load Balancing Behavior

FHRP Protocols

FHRP communication path of keepalives

Fiber optic types

Fiber optics - Multi mode fiber optics characteristics

Fiber optics - Single mode fiber optics characteristics

Fiber optics - color coding

Fiber optics - connectors

FlexVPN Hub and Spoke backup routes

FlexVPN redundant hub with dual cloud

FlexVPN spoke to spoke communication fails with IPSec tunnel

FlexVPN

Frame Relay - is it a relevant technology anymore

Frame-Relay - emulating a Frame-Relay switch

Frame-Relay DLCI values

GNS3 how to obtain Cisco IOS images

GRE - Recursive routing error - AD solution

GRE - Recursive routing error - filtering solution

GRE - Recursive routing error

GRE - Tunnel Addressing

GRE MTU settings

GRE and IPSec

GRE tunnel and multicast

GRE tunnel key operation with only one tunnel key configured

GRE tunnel key

GRE tunnels and how they transmit multicast packets

HSRP - standby group numbers

HTTP - viewing HTTP messages in Wireshark

Hardware - Application Specific Integrated Circuit (ASIC)

High-Level Data Link Control (HDLC)

Home lab computer requirements

Hot Standby Router Protocol (HSRP)

How to practice labbing - best practices

How to prepare for Cisco DNA

IANA

ICANN

ICMP - response to a ping that is blocked by an ACL

ICMP codes and types

ICMP

IEEE

IETF

IGMP - Snooping Querier Election

IGMP - Snooping Querier

IGMP - access group

IGMP - fast leave

IGMP - filtering using ACLs

IGMP - ip igmp snooping querier command

IGMP - membership report

IGMP - using VLAN access maps to filter multicast traffic

IGMP Snooping internal interface

IGMP default IOS configurations

IGMP last member query interval

IGMP membership query max response time

IGMP membership reports destination

IGMP report suppression

IGMP snooping prevents report suppression

IGMP snooping source IP address for messages

IGMP snooping

IGMP version 1 how hosts stop receiving multicast traffic

IGMP

IGMPv2 - leave group message mechanism

IGRP

IOS - Configuration Archive and Rollback

IOS - Right To Use (RTU) License

IOS - ip http server

IOS - licensing

IOS - show license command

IOS - using ftp or tftp source-interface command

IOS configuration register

IOS install mode vs bundle mode

IOS key chain feature

IP - When is the TTL decremented in a router

IP Address Management (IPAM) Tools

IP Addressing on a Router

IP Fragmentation - effects on network traffic

IP Fragmentation Attack

IP Routing table - process by which entries are matched

IP SLA - Route Flapping Problem

IP SLA Parameters

IP SLA tracking syntax

IP addressing on a Switch

IP routing table - candidate default route

IP routing table - default route

IP routing table - static route

IPSec - Authentication Header (AH)

IPSec - ESP vs AH

ICMP - Vulnerabilities

Links to this page: