Under normal circumstances, IP packets should be able to reach their destination without incident. For a variety of reasons, this may not be the case, however. The ICMP Destination Unreachable (Type 3) error message header provides 16 different submessage categories (codes) to describe the various error conditions. The focus here is on four particularly useful Destination Unreachable error messages:
• ICMP Destination Unreachable, Network Unreachable (Type 3, Code 0):When a router cannot forward a packet because it has no routes at all (including no default route) to the destination specified in the packet, then the router may generate this ICMP message back to the host.
• ICMP Destination Unreachable, Host Unreachable (Type 3, Code 1):When a router cannot forward a packet to a host on a network that is directly connected to the router (in other words, the router is the last-hop router) and the router has ascertained that there is no path to the destination host, then the router must generate this ICMP message. In this scenario, the destination network exists, but the destination host within the network does not. If, for example, the last-hop router cannot resolve the MAC address for the destination address via ARP, it considers the host unreachable.
• ICMP Destination Unreachable, Port Unreachable (Type 3, Code 3):When a packet is received by the destination host and the indicated destination transport protocol (for example, UDP) is unable to associate the packet to a local port number, then the host should generate this ICMP message. In this scenario, the destination host may not be configured for servicing the specified protocol port number (for example, HTTP).
• ICMP Destination Unreachable, Communication Administratively Prohibited (Type 3, Code 13):When a router cannot forward a packet because a security policy (for example, an access list) has been applied that denies the packet from being forwarded, the router should generate this ICMP message.
The ICMP Destination Unreachable header consists of three fields, plus a Data field, as shown in Figure B-8. The ICMP Destination Unreachable header fields shown in Figure B-8 are listed and described in Table B-8, along with a brief description of the security implications relevant to each header field.
1. Mogul, J., and S. Deering. Path MTU Discovery. RFC 1191. IETF, Nov. 1990.
http://www.ietf.org/rfc/rfc1191.txt.
2. Gont, F. “ICMP Attacks Against TCP.”
http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html.
3. “Vulnerability Issues in ICMP Packets with TCP Payloads.” NISCC Vulnerability Advisory 532967/
NISCC/ICMP.
http://www.cpni.gov.uk/docs/re-20050412-00303.pdf?lang=en.
4. “Crafted ICMP Messages Can Cause Denial of Service.” (Doc. ID: 64520.) Cisco Security Advisory.
http://www.cisco.com/en/US/products/products_security_advisory09186a0080436587.shtml.
Figure B-8 ICMP Header—Destination Unreachable Error Messages
Table B-8 ICMP Destination Unreachable Error Message Header Fields and Their Security Implications
Bit Offset Header Field Header Value and Description 0–7
(8 bits)
Type This field indicates the ICMP message type being carried by the ICMP payload. The ICMP Destination Unreachable error message has a type value of 3. (See Table B-4 for a full list of message types.)
Security Implications:When correctly specified, there really are not any security issues with this field. If this packet is spoofed, this field must be correctly formed to specify an ICMP Destination Unreachable message. One potential issue that might arise could be when the value of this field indicates an unknown ICMP type.
It is plausible that a poorly written network stack could have issues under such conditions.
8–15 (8 bits)
Code This field indicates, when appropriate for the ICMP message type, the particular code(or submessage type) to further specify the message being carried by the ICMP payload. The ICMP Destination Unreachable (Type 3) error message actually specifies 16 different types of submessages via 16 different codes (values of 0 through 15). The particular Destination Unreachable messages described here are: Code 0–Network Unreachable, Code 1–Host Unreachable, Code 3–Port Unreachable, and Code 13–Communication Administratively Prohibited. (See Table B-4 for a full list of submessage codes per message type.)
4
0 8 12 16 20 24 28 31
Unused (0) Bits
ICMP Type 3 Code 0 Message – Destination Unreachable, Network Unreachable ICMP Type 3 Code 1 Message – Destination Unreachable, Host Unreachable ICMP Type 3 Code 3 Message – Destination Unreachable, Port Unreachable
ICMP Type 3 Code 13 Message – Destination Unreachable, Communication Administratively Prohibited
32
64+ ICMP Payload – Up to 68 Bytes
Offending Packet’s IP Header + Options (20 to 60 Bytes) Plus First 64 Bits (8 Bytes) of Offending Packet’s Data
Code = 0, 1, 3, or 13
Type = 3 Checksum
0
Security Implications:When correctly specified, there really are not any security issues with this field. If this packet is spoofed, this field must be correctly formed to specify an ICMP Destination Unreachable message. One potential issue that might arise could be when the value of this field indicates a code value of other than 0 through 15 (which would be inappropriate for an ICMP Type 3 message). It is plausible that a poorly written network stack could have issues under such conditions.
16–31 (16 bits)
Checksum This field contains a 16-bit one’s complement of the one’s complement sum of the ICMP message, starting with the ICMP Type field.
Security Implications:When correctly specified, there really are not any security issues with this field. If this packet is spoofed, this field must be correctly formed to specify an ICMP Destination Unreachable message. If this field is computed incorrectly, the packet is supposed to be silently dropped on ingress. It is plausible that a poorly written network could have issues under such conditions.
32–63 (32 bits)
Unused This field is unused by ICMP Time Exceeded error messages and is required to be set to 0.
Security Implications:When correctly specified, there really are not any security issues with this field. If this packet is spoofed, this field must be correctly formed to specify an ICMP Destination Unreachable message. This field is required to be set to 0. If this field is not set to 0, as required, it is plausible that a poorly written network stack could have issues under such conditions.
64+
(variable)
ICMP Payload This field includes a copy of the IP header (20 bytes plus IP options if they exist) and the first 64 bits of the offending packet’s data. This field is intended for use by the receiver to match the ICMP error message to the appropriate process that created the original, offending packet. For higher-level protocols that use port numbers (for example, TCP and UDP), the first 64 bits also includes the source and destination ports of the offending packet. The minimum length of this field is 28 bytes (20 bytes for the offending packet IP header, plus 8 bytes [64 bits] of additional data from the offending packet).
continues Table B-8 ICMP Destination Unreachable Error Message Header Fields and Their
Security Implications (Continued)
Bit Offset Header Field Header Value and Description
Security Implications: In the legitimate case, this field includes a copy of the IP header (20 bytes plus IP options if they exist) and the first 64 bits of the offending packet’s data. Because ICMP error messages are unauthenticated, they are highly susceptible to spoofing. Ironically, even though routers and hosts must/should send these particular ICMP error messages, there are not many (if any) mechanisms on the receiver side to listen for or act upon them. Hence, ICMP Destination Unreachable error messages (with the exception of the previous Type 3, Code 4 case) are typically not spoofed with the one-packet, one-kill mentality. They are often spoofed for DoS attacks, however. ICMP error messages are also very useful for reconnaissance attacks. Numerous network mappers, security scanners, and vulnerability assessment tools rely on these particular ICMP message replies to extract information about topologies and the state of services and patches on network elements.1
Overall Security for ICMP Destination Unreachable Error Messages
Reconnaissance attacks: Numerous network assessment tools take advantage of various ICMP Destination Unreachable messages to accomplish their goals.
Traceroute is an excellent example of one of the first applications that was built to take advantage of the behavior and interrelationship between UDP and ICMP. UDP does not have an error- signaling mechanism of its own (in the way TCP does with its flags and sequence numbers), and so applications using UDP for transport can monitor for any ICMP error messages that may be related to their packets. Traceroute (the original, *nix version) sends UDP packets toward the destination, incrementing the TTL value and UDP destination port value by 1 each time. These packets are constructed using very high UDP destination port numbers, typically above 33,434.
The intermediate routers drop the TTL expiring packets and respond with ICMP Time to Live Exceeded in Transit (Type 11, Code 0) error messages. Traceroute matches the UDP destination port number contained in the Data field of the ICMP TTL Exceeded messages to reliably match the ICMP error messages with the individual UDP probes. The very last probe that is sent has sufficient TTL to finally reach the destination IP address, and in this case, the host responds with an ICMP Destination Unreachable, Port Unreachable (Type 3, Code 3) error message. It is in this way that traceroute knows it has reached the final destination.2 (Windows uses ICMP Echo Request messages in its tool called tracert instead of UDP probes as used in the traditional *nix tool called traceroute.)
Nmap is an excellent example of a network exploration/security auditing tool that can use UDP scans to identify active UDP-based services on target platforms.3 Nmap sends UDP probes toward the destination (target) when the–sU option is selected. If the host responds with an ICMP Destination Unreachable, Port Unreachable (Type 3, Code 3) error message, it is certain that the port is closed. However, if the host does not respond, the UDP port is assumed to be open or filtered. (Obviously, if data is returned the port is open.)
Table B-8 ICMP Destination Unreachable Error Message Header Fields and Their Security Implications (Continued)
Bit Offset Header Field Header Value and Description
Ethernet/802.1Q Header
As outlined in Chapter 2, a wide variety of network attacks are accomplished by manipulating and spoofing the header fields within Layer 2 Ethernet frames. While there are several different variants, the two most common are the IEEE 802.3 Ethernet Frame, and the IEEE 802.1Q VLAN Frame. This section reviews these different Ethernet frame formats, their header fields, and associated security implications.