T 5.50 Abuse of the ICMP protocol

As transport layer protocol, the task of the Internet Control Message Protocol (ICMP) is to transport error and diagnostics information. By abusing ICMP messages, an attacker may both disturb network operations and find out information about the internal network which he/she may use for planning an attack:

• ICMP Redirect messages may be used to manipulate the routing tables of computers.
• ICMP Unreachable messages may be used to disturb or completely interrupt established connections.
• The different ICMP Request message types (Echo Request, Information Request, Timestamp Request, Address Mask Request) may easily be used in order to map the internal network of an organisation (ICMP Sweeps).
• Falsified ICMP Reply messages may also be used to find out information about the internal network by causing the target computer to reply to these messages with an error message.
• Different operating systems differ regarding the way they react to certain ICMP messages. Along with the information about the fact that a certain address is active, ICMP replies may therefore also disclose the operating system installed on the computer concerned (Fingerprinting).
• Improper implementations of ICMP in some operating systems have caused security problems in the past:
  • Computers that ran under Windows 95 could be induced to crash by certain ICMP echo packets ("Ping of Death").
  • It was possible for excerpts from the working memory of the computer concerned to be contained in ICMP response packets of various operating systems. In extreme cases it was possible for passwords or cryptographic keys to be passed to an external computer in this way.
• Any kind of ICMP messages may also be used in order to create a hidden information channel that can be used to transport data from the internal network to the outside.