ICMP attacks

• ICMP Attacks

ICMP stands for Internet Control Message Protocol and is the most used protocol in networking technology.
A connectionless protocol, ICMP does not use any port number and works in the network layer.
ICMP is commonly used for diagnostic purposes, error reporting or querying any server, and right now attackers are using ICMP to send payloads

ICMP Attack Types

ICMP Tunnelling
An ICMP tunnel establishes a channel between the client and server, forcing a firewall not to trigger an alarm if data are sent via ICMP
ICMP tunnelling is a covert connection between two endpoints using ICMP echo requests and reply packets. So by using ICMP tunnelling, one can inject arbitrary data into an echo packet and send to a remote computer. The remote computer injects an answer into another ICMP packet and sends it back. This type of communication traffic remains undetectable for a proxy-based firewall, as they are more focused on source and destination IP address.

Hping is a packet crafter tool used to conduct a test or attack on a device. For a normal ping message that we send using a command prompt, it sends four packets of data. So if we want to send a particular ICMP request with a particular type or code set then we can use Hping

The most common ICMP tunnelling program is LOKI. It uses the ICMP echo response packet to carry its payload. By using LOKI, one can transmit data secretly by hiding the traffic so networking devices cannot detect the transmission. It can also be used to set a backdoor into a target system and execute commands on the machine with admin privileges, as well as leak information and start/stop critical services without users’ knowledge.

Organisations have adopted many ways to prevent ICMP tunnelling, like blocking all ICMP traffic, limiting the size of ICMP packets,
The use of IDS/IPS is an effective method and many IPS/IDS devices have a signature to detect the presence of LOKI.

Smurf Attack
As we discussed earlier, whenever a type 8 is sent, a type 0 is sent back, or an ICMP echo reply is sent whenever an echo request is sent. In a smurf attack, an attacker will spoof the source address of the ICMP packet and send a broadcast to all computers on that network. If networking devices do not filter this traffic, then they will be broadcasted to all computers in the network. The victim’s network gets congested by this much traffic, which brings down the productivity of the entire network
Countermeasures for Smurf Attack

    Put filters on routers and firewall to counteract address spoofing. An IP address should be assigned to a LAN segment, and if the IP address of the source machine is not in the range of IP address that is assigned to the segment, then the traffic should be dropped.
    Put filters on L3 devices to not reply for broadcast address.

Fraggle Attack
Fraggle attack is same as a Smurf attack but rather than ICMP, UDP protocol is used.


Information Gathering
Under the information gathering attack, one can use different methods within the ICMP to find out live host, network topology, OS fingerprinting, ACL detection, and so on.A classic way to discover hosts on the network is to send an ICMP echo request (type 8) which should prompt target hosts to respond with ICMP echo reply messages.

Trace Route
how trace route can be used to determine the network topology. The trace route command is used to discover the routes that packets actually take when traveling to their destination.

Windows uses ICMP trace routes, while Linux-based systems use a UDP trace route. So when running a trace route from a Windows computer, three ICMP echo messages with TTL set to 1 are sent out to the destination IP addresses.


Port Scan
ICMP Error Messages (Protocol/Port Unreachable) can be used to find out the open ports to an IP address or a LAN segment.


OS fingerprinting
Fingerprinting is a technique to find out what kind of OS the server is running by looking at the response of the ICMP packet.
if the ICMP reply contains a TTL value of 128 then it is a Windows machine, and if the ICMP reply contains a TTL value of 64 then it is a Linux-based machine.

ICMP Router Discovery
The ICMP router discovery protocol will discover the IP address of the neighbouring routers. The ICMP router discovery messages are called “Router Advertisements” or “Router Solicitations”. The router discovery message is not a routing protocol.

Teardrop
Eventually it is sort of DOS attack that an attacker does using ICMP packets. Teardrop attacks exploit the overlapping IP fragments present in machines. IP packets are broken up into smaller fragments, with each fragment having the original IP packet’s header, and field that tells the TCP/IP stack what bytes it contains. The packet is fragmented and is sent from the source to destination. In the destination point, the fragments need to be put back together again. What happens with teardrop though is that the IP fragments will have overlapping fields. When the destination tries to reassemble them, it cannot do it, and if it does not know to combine these packet fragments out, it can quickly fail.
https://resources.infosecinstitute.com/icmp-attacks/#gref