Internet Control Message Protocol

Mandatory additional the Internet Protocol, Error messages, diagnostic

The Internet Control Message Protocol (ICMP ) is used in computer networks for the exchange of information and error messages via the Internet Protocol Version 4 (IPv4). For IPv6, there is a similar protocol called ICMPv6.

ICMP is an integral part of IPv4, but is treated as a separate protocol. It is expected of every router and every computer, the "talk" ICM Protocol to. Most ICMP packets contain diagnostic information; they are sent back from the router to the source, if the router discards packets, for example, because the goal is not reached, the TTL is expired, etc. The following principles apply:

  • ICMP uses IP as the basis for communication by it to yourself interpreted as an upper layer protocol, ie, ICMP messages are encapsulated in IP packets.
  • ICMP recognize some error conditions, but makes IP at no reliable protocol.
  • ICMP error analyzed in each IP packet, with the exception of those carrying an ICMP message.
  • ICMP messages are not sent in response to packets to destination addresses, in which it is multicast or broadcast addresses.
  • ICMP messages are not generated for ICMP messages.
  • ICMP messages only respond to a unique source IP address.

The ICMP packet types

  • 0 = Echo Reply
  • 1-2 = Reserved
  • 3 = Destination Unreachable
  • 4 = Source Quench
  • 5 = Redirect
  • 8 = Echo Request
  • 9 = Router Advertisement
  • 10 = Router Solicitation
  • 11 Time Exceeded =
  • 12 = Parameter Problem
  • 13 = Timestamp ( facilitates time synchronization)
  • 14 = Timestamp Reply
  • 15 = Information Request
  • 16 = Information Reply
  • 17 = Address Mask Request
  • 18 = Address Mask Reply
  • 19 = Reserved ( for Security )
  • 20-29 = Reserved ( for Robustness Experiment)
  • 30 = Trace Route
  • 31 = Datagram Conversion Error
  • 32 = Mobile Host Redirect
  • 33 = Initial IPv6 Where- Are- You ( replaced by ICMPv6 )
  • 34 = Initial IPv6 I-Am -Here (replaced by ICMPv6 )
  • = 35 Mobile Registration Request
  • = 36 Mobile Registration Reply
  • 37 Domain Name Request
  • 38 Domain Name Reply
  • 39 SKIP =
  • 40 = Photuris
  • 41 = ICMP messages Utilized by experimental mobility protocols: such as Seamoby
  • 42-255 = Reserved

Port Unreachable

Common convention is the placement of a "Port Unreachable" in response to a connection attempt to a non- open port from a service. The answer is " Port Unreachable " consists of a package of type 3 ( Destination Unreachable ), which contains the code 3 (see structure ).

Firewalling: Port unreachable versus " drop"

A common mistake when configuring a firewall is discarding (drop) the packets on an unwanted connection instead of an ICMP Port Unreachable message of the type to send it back.

In an attempt to make a connection gets the network client no response to his request and so waits until a timeout is received. This can result in programs leading to annoying waiting times for users or other undesirable side effects.

Apart from technical result also security-related problems. For example, an attacker can not access the service, but he can guess whether it is running or not. He could then try on an accessible service to manipulate the secured service. For example, a protected database server on the achievable for each Web server.

To see this is the example of the output of the port scanner nmap: It can be seen that, among others, the port 3306 TCP filtered status (filtered) has. This means that there was no answer in the review; the request is simply discarded by the firewall. This suggests that someone wants to protect the MySQL database service behind it against unauthorized access these yet running. The TCP port 80 ( http) has the status of open ( open) and stands for network requests.

$ Nmap- p 1 - homeserver.internal   Starting Nmap 6.40 ( ) at 2014-02-10 17:05 CET Nmap scan report for homeserver.internal ( ) Host is up ( 0.022s latency ). rDNS record for homeserver.internal Not shown: 65512 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 106/tcp open pop3pw 110/TCP open pop3 135/TCP filtered MSRPC 137/tcp filtered netbios- ns 138/tcp filtered netbios- dgm 139/tcp filtered netbios- ssn 143/tcp open imap 443/TCP open https 445/tcp filtered microsoft- ds 465/tcp open smtps 587/tcp open submission 993/tcp open imaps 995/tcp open pop3s 3306/tcp filtered mysql 5314/tcp open unknown 5432/tcp filtered postgresql 8443/tcp open https -alt 8880/tcp open cddbp - old Nmap done: 1 IP address ( 1 host up) scanned in 301.14 seconds Time-to- live

To determine the route a packet takes to a destination host, the analysis program Traceroute sends manipulated datagrams with reduced time-to- live (TTL ) and waits for ICMP messages " Time to live exceeded in transit" and " Destination unreachable " than answers. Depending on the implementation of the ICMP Traceroute (eg, Linux ) (eg on Windows) or UDP.


ICMP sends and receives a variety of messages. In the IP header, the ICMP message is indicated by the protocol number 1. ICMPv6, however, carries the protocol number 58 The ICMP message format consists of only a few fields:

The type field specifies the message. The code field interprets the message type in more detail. Data typically include a portion of the original IP message. Some of the more common type of code combinations are:

An extra field " data " in many ICMP messages in the first 32 -bit word carries more detailed information regarding the allocation of the ICMP message. Often the IP header of the datagram, and triggering the first 64 bits of the packet are received from the second data word. However, the "Data " field can also be misused to transfer user data ( ICMP tunneling). Then, however, the necessary error handling or error correction and the like must be implemented at the application level.

Denial of service attacks using ICMP

The ping program is included with most operating systems in the basic installation. Among the Unixes, Unix derivatives (* BSD, Mac OSX), and Linux has the program defaults to the Flood ping function ( engl.: flood = flood ) which only the super-user (root) is available. This will send as soon as possible a new request on each response or 100 requests per second. Depending on from what is possible.

With this flood of data can be achieved, that the bandwidth of the target computer or even the computer itself is so busy that other queries can not be answered. However, the own bandwidth and computing power is just as highly stressed.

Purely in principle, suitable for any type of data as an attack. The fact that virtually all the program ping is already installed, so that is already a very simple means.