Essential Network Security Support: The TCP/IP protocol stack includes Internet Control Message Protocol (ICMP) designed as a troubleshooting tool that can provide feedback to network devices either for status information or when problems such as network routing failures occur. ICMP has also been used as a cyber-attack reconnaissance tool facilitating mapping of target networks, Denial of Service attacks, and covert channels for remote unauthorized network access. Unfortunately, blocking all ICMP packets on a network is not recommended because certain network functionality cannot operate properly without ICMP. However, proper ICMP filtering can ensure both security and functionality.
Essential Network Security Support
ICMP type 8 Echo and Echo Reply is probably the most commonly used and familiar type of ICMP. Type 8 ICMP packets provide network feedback to determine whether or not hosts are active on a network. However, Type 8 ICMP can also be used to map a network and determine which hosts are available for attack. In addition, Type 8 ICMP Denial of Service attacks (DoS) are possible by flooding a network with ICMP echo requests until the target servers and/or network connections fail. For this reason block all incoming ICMP requests to private networks, while allowing outbound initiated requests (for troubleshooting) and ICMP echo requests within the private network.
Routers send ICMP Type 5 Redirect messages when other routers on the same network have a better network path for packets received. However, ICMP Redirect messages are also leveraged by cyber criminals to maliciously subvert routing tables and enable IP address spoofing issues. Since networks require ICMP Redirect messages, for increased security configure all networks to send ICMP Redirect messages and deny receipt of these messages from unknown networks.
ICMP Type 9 Router Advertisement packets enable hosts on the local network to only find routers on the local network. Since these packets could be used for a DoS attack by flooding the network, block all inbound and outbound ICMP Type 9 messages.
ICMP Type 13 Timestamp Request messages determine the local time on a host or remote network. Unfortunately, ICMP Type 13 packets can also be used as an alternative to Type 8 packets as a hacker reconnaissance and mapping tool. Since ICMP Type 13 messages provide only non-essential informational services, block this type of ICMP message on both egress and ingress points to private networks.
ICMP Type 17 Address Mask Request and Reply messages enable network hosts to find the network mask of another host or interface. However, these messages are not necessary for network functionality and attackers use them to map network. Since ICMP Type 17 messages are informational and not necessary, block them at both egress and ingress points on private networks.
Contact us to assess your organization’s security posture, learn more about essential network security support and secure your network from ICMP vulnerabilities.