 Introduction.

i. ICMP Position.
ii. ICMP Packets.
 Basic Functionality.
 Header Format.
 ICMP Functions.
 ICMP Message Classes.
 Types of Messages.
 ICMP Applications- Ping, Trace route.
 Issues.
 Conclusion.
 Introduction
 ICMP is an “error reporting” protocol.

 ICMP is part of Internet protocol suite and is

defined in “RFC 792”.

 It corrects the network problems as a whole but

does not correct the individual packet problems.
 ICMP is a complementary protocol to IP that
resides on the network layer.

 ICMP is a communication protocol between IP

protocol implementations on two connected
systems.

 It provides feedback to sender on problems as

well as internet settings such subnet masks.
 ICMP packets are sent in IP datagrams.
 Two levels of encapsulation occur when an ICMP
message is transmitted across a physical network.

ICMP Header ICMP Data Area

IP Header IP Data Area

Frame Header Frame Area

 IP Datagram
 Host A Host B

 But problem in Router R3

ICMP
message
 R3 Host A
 ICMP has fixed header
of 4 bytes
- Type
Type of message

- Code
Subtype of message

- Checksum
1’s complement
computed over entire
ICMP message
- Checksum set to zero
 Announce Network Errors :
A kind of failure causes a host or the entire network to be
unreachable.

 Announce Network Congestion :

Too many packets are buffered by the router, but it cannot
transmit them at the same speed which causes network
congestions.
 Assist Troubleshooting :
ICMP supports an Echo function which sends a packet on a
roundtrip between two hosts

 Announce Time outs:

If an IP packet’s TTL field drops to zero the
router discards that packet and generates ICMP
indicating this fact.
 Error Messages: These messages are used to provide feedback to a source device
about an error that has occurred. They are usually generated specifically in
response to some sort of action, usually the transmission of a datagram. Errors are
usually related to the structure or content of a datagram, or to problem situations
on the internetwork encountered during datagram routing.

 Informational (or Query) Messages: These are messages that are used to let
devices exchange information, implement certain IP-related features, and perform
testing. They do not indicate errors and are typically not sent in response to a
regular datagram transmission. They are generated either when directed by an
application, or on a regular basis to provide information to other devices. An
informational ICMP message may also be sent in reply to another informational
ICMP message, since they often occur in request/reply or
solicitation/advertisement functional pairs.
 ICMP Message Types
Type Description ICMP Message Types
0 Echo Reply (Ping Reply, used with Type 8, Ping Request)

3 Destination Unreachable
4 Source Quench
5 Redirect
8 Echo Request (Ping Request, used with Type 0, Ping Reply)

9 Router Advertisement (Used with Type 9)

10 Router Solicitation (Used with Type 10)
11 Time Exceeded
12 Parameter Problem
13 Timestamp Request (Used with Type 14)
14 Timestamp Reply (Used with Type 13)
15 Information Request (obsolete) (Used with Type 16)

16 Information Reply (obsolete) (Used with Type 15)

17 Address Mask Request (Used with Type 17)

18 Address Mask Reply (Used with Type 18)

13
 Message Types Contd….

The DESTINATION UNREACHABLE message is used when the subnet or a router

cannot locate the destination.
The TIME EXCEEDED message is sent when a packet is dropped because its counter
has reached zero. This event is symptom that packets are looping, that there is enormous
congestion, or that the timer values are being set too low.
The PARAMETER PROBLEM message indicates that an illegal value has been
detected in a header field. This problem indicates a bug in the sending host’s IP software
or possibly in the software of a router transited.
The SOURCE QUENCH message was formerly used to throttle hosts that were
sending too many packets. When a host received this message, it was expected to slow
down. It is rarely used any more when congestion occurs.

14
 If a router finds that a network is congested,
router sends ICMP source quench message to the
source.
 The source then sets the window size to minimum
after receiving this message.
 Message Types Contd…

The REDIRECT MESSAGE is used when a router notices that a packet seems to be routed
wrong. It is used by the router to tell the sending host about the probable error.
The ECHO and ECHO REPLY messages are used to see if a given destination is reachable and
alive. Upon receiving the ECHO message, the destination is expected to send an ECHO REPLY
message back.
The TIMESTAMP REQUEST and TIMESTAMP REPLY messages are similar, except that
the arrival time of the message and the departure time of the reply are recorded in the reply. This
facility is used to measure network performance.

18
 Destination Unreachable Codes

Code Definition
0 Net Unreachable
1 Host Unreachable
2 Protocol Unreachable
3 Port Unreachable
4 Fragmentation needed & Don’t Fragment was set
5 Source Route failed
6 Destination Network Unknown
7 Destination Host Unknown
8 Source Host Isolated
9 Communication Destination Network is Administratively
Prohibited
10 Communication Destination Host is Administratively Prohibited
11 Destination Network Unreachable for Type of Service
12 Destination Host Unreachable for Type of Service
13 Communication Administratively Prohibited
14 Host Precedence Violation
15 Precedence Cutoff Violation
19
 Redirect Codes

Code Definition

0 Redirect Datagram for the Network (or subnet)

1 Redirect Datagram for the Host

2 Redirect Datagram for the Type of Service & Network

3 Redirect Datagram for the Type of Service & Host

20
 Time Exceeded Codes

Code Definition

0 Time to Live Exceeded in Transit

1 Fragment Reassembly Time
Exceeded

Parameter Problem Codes

Code Definition
0 Pointer Indicates the
Error
1 Missing a Required
Option
2 Bad Length
ICMP-APPLICATIONS

The two important applications based on

ICMP are:

 PING
 Traceroute
Ping:
 A program for checking if host is alive
Exists in most Operation Systems

 Sends ICMP message of type Echo Request

 Receiver answers with ICMP messages of type

Echo Reply
Format:
 Ping ip address.
 Ping 192.161.72.1
What Ping can tell you?

 If packets have been dropped,

duplicated or reordered.
 Detects some forms of damaged
packet.
 Round Trip Time (RTT): How long each
packet exchange took.
 Other ICMP messages.
What a Ping cannot tell:

 Ping cannot provide reasons why

packets go unanswered.
 Ping cannot tell why a packet was
damaged, duplicated or delayed.
 Ping can not give you a blow-by-blow
description of every host that handled
the packet and everything that
happened at every step of the way.
  The PING utility is actually
Ping an ICMP Echo process.
 An ICMP Echo Request
packet consists of an
Ethernet header, IP
header, ICMP header,
and some undefined
data.
 This packet is sent to the
target host, which echoes
back that data, as shown
in Figure 4-1.
 The ICMP echo request is
a connectionless process
with no guarantee of
delivery.
ICMP ECHO REPLY ICMP ECHO REQUEST
EVENT FLOW
DIAGRAM
TRACEROUTE:
 Traceroute measures the number of hops required
to reach a destination.
 It sends an IP packet with Time To Live(TTL) set
to 1.
 When a router decrements the TTL to zero, it
discards the packet and sends an ICMP packet to
the source to inform it of the problem.
 Repeats this with increasing number TTL values.
Maximum Transmission Unit(MTU)
 When a router receives a datagram, that is larger than the
MTU of the network over which it is to be sent, the router
divides the datagram into smaller pieces called Fragments.

 An IP datagram divided into three fragments. Each fragment

carries some data from the original datagram, and has an IP
header similar to the original datagram.
MAXIMUM TRANSMISSION UNIT
 Another application of ICMP is to determine the MTU
along a path.
 Sending packets with the “do not fragment” flag will
cause a node to send an ICMP message back to the
source when a packet needs to be fragmented. This
ICMP message includes the maximum packet size
allowed at that point.
 IP can adjust to sending packets that wont fragment
along the way.
Issues:
 ICMP redirect messages can be used to trick routers and
hosts acting as routers into using “false'' routes; these
false routes would aid in directing traffic to an attacker's
system instead of a legitimate trusted system.

 This could in turn lead to an attacker gaining access to

systems that normally would not permit connections to
the attacker's system or network.

 Older versions of UNIX could drop all connections

between two hosts even if only one connection was
experiencing network problems.
 Smurf DoS Attack

1 ICMP Echo Req 3 ICMP Echo Reply

Src: Dos Target Dest: Dos Target
Dest: brdct addr

DoS
gateway DoS
Source Target

 Send ping request to broadcast addr (ICMP Echo

Req)
 Lots of responses:
› Every host on target network generates a ping
reply (ICMP Echo Reply) to victim
› Ping reply stream can overload victim
 Disable IP-directed broadcasts at your leaf routers: to deny IP
broadcast traffic onto your network from other networks (in
particular from the Internet)

 A forged source is required for the attack to succeed. Routers

must filter outgoing packets that contain source addresses not
belonging to local sub networks.
 ICMP is an error reporting and network
management system.

 ICMP provides vital feedback about IP routing

and delivery problems

 Although ICMP messages fall within various

well-documented types, and behave as a separate
protocol at the TCP/IP Network layer, ICMP is
really part and parcel of IP itself, and its support
is required in any standards-compliant IP
implementation
 QUESTIONS?

1. Where is ICMP placed in the OSI model?

 Next to IP in the network layer

2. Can ICMP report error in ICMP messages itself?

 No.

3. What are the two most important applications of ICMP?

 PING
 TraceRoute

4. What are the two message classes in ICMP?

 Error messages
 Information messages
 http://www.ietf.org/rfc/rfc792.txt
 http://www.softpanorama.org/Net/Internet_layer/icm
p.shtml
 http://www.cs.princeton.edu/~mef/research/napt/repo
rts/usenix98/presentation/sld008.htm
 http://www.kbcafe.com/articles/HowTo.PING.pdf
 http://en.wikipedia.org/wiki/ICMP
 http://www.freesoft.org/CIE/Topics/81.htm
Thank You