News

Securing the OSI Stack - Layer 3

Michael Gregg

Layer 3 of the OSI model is the network layer. While the data link layer provides node-to-node communication, the network layer provides routing and is the home of routable protocols; the best known is Internet protocol (IP). There are other services at the network layer, such as Internet Control Message Protocol (ICMP), which is the focus of this article.

ICMP was designed to act as a messenger for logical errors and diagnostics. It is addressed in detail in RFC 792. Any IP network device has the capability to send, receive, or process ICMP messages. The designers of ICMP never considered the security issues we must deal with today, but they did set some ground rules for ICMP to work efficiently.

To make sure that ICMP messages wouldn't flood an IP network, ICMP is not given any special priority and is always treated as normal traffic.

ICMP messages cannot be sent in response to other ICMP messages. This design mechanism was intended to prevent situations where one error message creates another, and another, and another. That would be a real problem!

ICMP was not designed to be sent in response to multicast or broadcast traffic.

With some of the ground rules of ICMP out of the way, let's turn our attention to the format of the ICMP header. ICMP is designed so that the header contains a type and code field. Common ICMP types include the following:

 0 Echo Reply (Ping) 3 Destination Unreachable 4 Source Quench 5 Redirect Message

Requires Free Membership to View

6 Alternate Host Address 8 Echo Request (Ping) 9 Router Advertisement 10 Router Solicitation 11 Time Exceeded

Together, the type and code fields can be used to determine the reason for the ICMP message. As an example, a type 3 is a destination unreachable. There are 16 unique codes for type 3 messages. The code identifies the specific reason why the destination is unreachable; this could include a problem with the network (a code 0), a router blocking the packet (a code 13), or even that the application is not running on the destination computer (a code 3). The most common ICMP message type is an 8/0, which is an echo request/reply (ping).

There are many network tools built around ICMP. Traceroute is an example of this. Traceroute works by sending sequentially numbered IP TTL packets while looking for ICMP TTL exceeded messages returned. By its very design, you can see that ICMP can be a very useful network tool. Unfortunately, it is also one of the most used and abused protocols. Now, let's look at some of the ways ICMP is misused.

Abuse of ICMP

Earlier, I described ping as a basic connectivity tool. It's widely used by hackers to verify connectivity before an attack. You cannot attack a system that isn't up and running -- and ping provides a perfect way to check that a system is alive. This has become so much of a problem that many networks now block incoming initiated pings. Although this is a good start, it does not completely eliminate the problem. An example of this can be seen in the covert tool Loki.

Released in 1996 in the underground magazine Phrak, Loki was a proof-of-concept tool. If installed on an internal computer, Loki can use ICMP to phone home to the hacker outside of the network. The administrator sees only outbound initiated ping traffic, but the attacker has in reality set up a covert channel. The ICMP protocol is being used for messaging. Blocking both inbound and outbound ICMP at the firewall will eliminate this problem.

Another ICMP-related problem is the potential of its use in a denial of Service (DoS) attack. An example of this can be seen in Smurf. Smurf uses ping packets to abuse ICMP. It sends malformed ICMP packets. It alters the destination address so that the packet is sent to the broadcast address of a network node. The source address has been altered to be pointed to the victim of the attack. On a large network, many systems will reply to this broadcast ping. The attack results in the victim being flooded with a stream of ping responses so that legitimate access is blocked. A similar type of attack was launched against core DNS servers in 2002. Administrators can prevent their networks from being used to bounce Smurf traffic by adding the following command in their Cisco routers:

 no ip directed-broadcast.

ICMP can also be used to aid in port scanning and in OS identification. This is also called fingerprinting. It's a required step of the attack process. After all, an attacker cannot target a system successfully without knowing what it's running. As an example, the attacker may have an exploit against Windows XP, yet this exploit would be worthless against a Windows 2003 system. Fingerprinting is used to identify the OS. When fingerprinting is attempted, the attacker will use a scanning tool to send a series of normal, unusual and then malformed ICMP queries to the targeted system. The scanning tool then observes the responses and compares them to a database.

ICMP was designed for a more trusting world. With all of the functionality ICMP was designed to provide, it would be nice if it could pass freely in and out of the network. This is not the case, however. If your goal is to make the network more secure, ICMP needs to be blocked and disabled at key network access points as much as possible. Your choice will be to drop or reject traffic. The decision is yours. From a security perspective, dropping packets gives away less information and makes it harder for an attacker to gather information. Rejecting packets allows services to know that something has failed and time out quickly, yet leaves the network more vulnerable. With these facts in mind, it is the author's opinion that dropping ICMP is the preferred option.

About the author: Michael Gregg has been involved in IT and network security for more than 15 years. He is the founder and CTO of Superior Solutions Inc., a risk-assessment and security consulting firm. He has developed high-level security classes and written six books; the most recent is Hack the Stack: The Eight Layers of an Insecure Network.