A Free Trial That Lets You Build Big!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
Security is a problem that we can never ignore, especially network security, which is not easy to control. Let's talk about ICMP protocol security in detail, I hope you can refer to some of the content in this article.
1. Security importance of ICMP
The characteristics of the ICMP protocol determine that it is very easy to be used to attack routers and hosts on the network. For example, the maximum size of ICMP data packets specified by the operating system cannot exceed 64 KB, launch the "Ping of Death" Death Ping attack to the host. the principle of Ping of Death attack is: if the size of ICMP data packets exceeds 64 KB, the host will encounter a memory allocation error, resulting in a TCP/IP stack crash, causing the host to crash. in addition, sending ICMP packets to the target host for a long, continuous, and massive time also paralyzes the system. A large number of ICMP data packets will form an "ICMP Storm", so that the target host consumes a lot of CPU resources for processing and is exhausted.
Ping of Death attacks can be prevented in two ways: the first method is to limit the bandwidth of ICMP packets on the vro, control the bandwidth occupied by ICMP within a certain range. In this way, even if an ICMP attack occurs, the bandwidth occupied by ICMP attacks is very limited, with little impact on the entire network; the second method is to set ICMP packet processing rules on the host, preferably to reject all ICMP packets. there are two ways to set ICMP packet processing rules: one is to set packet filtering on the operating system, and the other is to install a firewall on the host.
2. under which circumstances can ICMP messages be sent?
The IP network is unreliable and cannot guarantee information transmission. Therefore, it is important to notify the sender when a problem occurs. ICMP is a mechanism for providing network fault problem feedback information to prevent packet transmission. it enables upper-layer protocols such as TCP to realize that data packets are not delivered to the destination. ICMP provides a method to identify catastrophic problems. these catastrophic problems include TTL exceeded and more data segments. ICMP does not report IP verification failures and other common problems. this is because we assume that TCP or other reliable protocols can handle such packet corruption issues. moreover, if we use unreliable protocols such as UDP, we should ignore a small amount of data loss. in short, the purpose of the ICMP protocol is to return useful descriptive error information when a network problem occurs, rather than making the IP protocol absolutely reliable.
Otherwise, you need to report network problems immediately. for example, if the ip ttl value (IP survival time) is zero, a routing loop may occur in some part of the network, so that no data packet can be sent to the destination. the endpoint system needs to understand these types of faults. ICMP is a protocol for sending various messages to report the network status, rather than simply a simple ping (connectivity test program ). response request (echo request) is only one of the many messages provided by ICMP. ping information can be filtered out. however, most ICMP messages are required for the normal operation of IP, TCP, and other protocols. never believe that the ICMP protocol is evil and simply blocks it.
To avoid unlimited return of information, ICMP messages for ICMP messages are not generated and sent, and ICMP messages are sent only when the datagram offset is 0. ICMP messages are sent in the following situations:
1. When the datagram cannot reach the destination
2. When the gateway loses the caching and data packet forwarding Functions
3. When the gateway discovers and directs the host to send data reports on shorter routes
3. ICMP protocol
The ICMP protocol itself is very complicated. each type of ICMP message is also called "Main type major type)" has its own "subtype encoding minor codes )". the ICMP protocol operates at Layer 3rd, so it can be routed over the Internet. an ICMP packet is actually an IP packet that contains ICMP data. each ICMP message contains the full IP packet header of the packet that initiates the ICMP message. In this way, the endpoint system will know which data packet is not actually sent to the destination. in addition, the first eight bytes of the packet that triggers the ICMP message will also be included, which is usually a TCP or UDP packet header.
Simply put, an ICMP message contains three fields that will never change, followed by ICMP data, followed by the Source IP packet header that triggers the message. among the three fields that will not change, the first eight bytes contain the ICMP type (primary type), the second field contains the type code, and the third field is the ICMP Message check value.
We need to realize that the ICMP protocol will not send error messages in some cases. ICMP does not respond to ICMP information. if ICMP responds to other ICMP messages, the number of these messages will surge and evolve into an ICMP message storm. to prevent a broadcast storm, ICMP messages do not respond to a broadcast or multicast address.
The most useful ICMP packet type "Destination inaccessible" Type 3) messages. the error message is generally generated by the router and sent to the data packet source. most error messages will also be sent to the application related to the sent packets. in this case, ICMP is widely used in TCP. we will soon see this situation later.
The most common types of ICMP messages in IPv4 are as follows:
Echo response (Type 0) and echo request (Type 8): This is the message sent by the Ping program.
Inaccessible target (Type 3)
Source suppression (Type 4): This is an ICMP message that notifies the sender router or host of blocking. The sender needs to reduce the sending speed.
Redirection (type 5): this message is used to say "please use another vro" to the host that can access two vrouters ".
Router Information Response (type 9) and Router Information Request (type 10)
Timeout (Type 11): This message has two purposes. first, an error message is sent to the sending system when the IP lifetime is exceeded. second, if the segment IP datagram is not re-combined within a certain period of time, the message will be notified to the sending system.
Of course, all the above types of messages contain child-type code. type 3 message "inaccessible target" itself has 15 sub-types of code. we will not provide details about each item. however, there is a very important application in the ICMP protocol that relies on messages of Type 3.
The path maximum transmission unit (PMTU) is a mechanism used by various protocols to find the maximum MTU (maximum transmission unit) supported in the entire path. Data smaller than this limit can be segmented. the sender sets the maximum packet specification on the local interface, and then uses the DF (do not segment) flag in the IP packet header to send the packet. if there is a problem, the sender will receive the third type of ICMP error message. Its subtype code is "requires segmentation, but DF flag has been set ". in this case, the sender knows that it must reduce the specification of the sent data. if no error message is returned, the MTU settings are correct.
When PMTU is searched, the main problem is that ICMP is often blocked to prevent the error message from being transmitted to the host sending data. this often happens when you try to connect to a remote site. if you send a request to a Web server, a blank page appears continuously. this is often seen in virtual private network connections, because some virtual private network encapsulates additional file headers, their MTU is smaller than the normal capacity. when a remote Web server sends the required content to a virtual private network user, if the data packet is too large, the last route hop Number of the user needs to be segmented. if the sender sets the DF flag, all it can do is to notify the sender that a small packet must be sent. however, the sender blocks the ICMP protocol, so the website will never see this ICMP message. however, the good news is that most TCP protocol execution is intelligent. if they never get the permission to send data, they will send data themselves in smaller segments. however, if you use some popular and convenient operating systems, this mechanism is not implemented.
In short, blocking the ICMP protocol is harmful to the successful running of the network. This will not only damage the ping, but in fact, if the ICMP protocol does not work, many protocols will not be fully functional.
Finding the maximum transmission unit in the path enables packets with the correct specification to be transmitted over the chain of various packet capacities. ICMP is very important for proper routing and packet transmission. You can only block the messages you don't need.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service