Internet Control Message Protocol

From Hill2dot0
(Redirected from ICMP)
Jump to: navigation, search

In the connectionless, packet environment of IP, all hosts and routers act autonomously. Packet delivery is best-effort. Everything functions just fine as long as the network is working correctly, but what happens when something goes wrong within the subnet? As a connectionless service, IP has no direct mechanism to tell higher layer protocols that something has gone awry.

Furthermore, IP does not even have a method for peer IP entities to exchange information; if an IP host receives a packet, it attempts to hand it off to a higher layer protocol. Internet Control Message Protocol (ICMP) has been defined for exactly this purpose—IP-to-IP communication, usually about some abnormal event within the network. ICMP messages are carried in IPv4 packets with a protocol value of 1. ICMP is defined in RFC 792 and is part of STD 5, which defines IP; this strongly suggests that ICMP is an integral part of IP.

ICMP Message Types

There are several types of ICMP messages.

  • Destination Unreachable: Indicates that a packet cannot be delivered because the destination host cannot be reached; the reason is also provided, such as the host or network is unreachable or unknown, the protocol or port is unknown or unusable, fragmentation is required but not allowed (DF-flag is set), the network or host is unreachable for this type of service, etc.
  • Time Exceeded: The packet has been discarded because the Time to Live (TTL) field reached 0 or because all fragments of a packet were not received before the fragmentation timer expired.
  • Parameter Problem: A router or host encountered a problem with something in the packet’s Header field.
  • Source Quench: Sent by a router to indicate that it is experiencing congestion (usually due to limited buffer space) and is discarding packets.
  • Redirect: If a router receives a packet that should have been sent to another router, the router will forward the packet appropriately and let the sending host know the address of the appropriate router for the next packet.

The remaining ICMP messages are used to query the network for information. These messages are listed below.

  • Echo and Echo Reply: Used to check whether systems are active. One host sends an Echo message to the other, optionally containing some data, and the destination must respond with an Echo Reply with the same data that it received. (These messages are the basis for the TCP/IP PING command.)
  • Timestamp and Timestamp Reply: These messages provide more information than the Echo messages by placing a timestamp (with millisecond granularity) in the messages. This provides a measure of how long remote systems spend buffering and processing packets, and provides a mechanism so that hosts can synchronize their clocks.
  • Address Mask Request and Address Mask Reply: Can be used by diskless workstations to determine their address mask when assigned an IP address.
  • Information Request and Information Reply: (formerly defined, but now obsolete)


ICMP Message Format

ICMP Message Format

The accompanying visual shows the general format of an Internet Control Message Protocol (ICMP) message. The first four octets of all ICMP (“error” and “query”) messages are listed below.

  • Type: Indicates the type of ICMP message, including Echo Reply (0), Destination Unreachable (3), Source Quench (4), Redirect (5), Echo (8), Time Exceeded (11), Parameter Problem (12), Timestamp (13), Timestamp Reply (14), Address Mask Request (18), and Address Mask Reply (19).
  • Code: Additional information specific to the message type. In the Time Exceeded message, for example, the Code field indicates whether the Time to Live counter was exceeded (0) or if the fragment reassembly timer expired (1).

Checksum: 16 bit checksum similar to that used in IP.

  • Miscellaneous: The next four octets (labeled miscellaneous in the diagram) are used differently by different messages. In most ICMP “error” messages (e.g., Destination Unreachable, Source Quench, Redirect, Time Exceeded, and Parameter Problem), these 32 bits are unused and set to 0. In the Parameter Problem message, however, the first octet is used as a pointer to the octet where the parameter problem was detected; in the Redirect message, these four octets contain the address of the router to which future traffic should be directed.
  • Packet header: The final field shown in the diagram contains the IP datagram header plus the first 64 bits of the packet’s Data field in the offending packet. The receiving host uses this information to match the message to the appropriate process. The 64 bits of user data are returned so that at least part of the header of any upper layer protocol, including any port numbers, gets back to the original sender.

ICMP Flooding

ICMP flooding is a basic form of DoS. The technique is to send a constant stream of ICMP packets towards the victim. When the attacker is able to steal and utilize more bandwidth than the victim, this simple attack can be quite effective.

Traditionally, victims have countered this attack by increasing their upstream bandwidth. Hackers have countered by developing DDoS attacks. More recently, victims of ICMP and other types of flooding attacks have countered by implementing rate limiting on the upstream service provider router.

PodSnacks

<mp3>http://podcast.hill-vt.com/podsnacks/2007q2/icmp.mp3%7Cdownload</mp3> | Internet COntrol Message Protocol (ICMP)