ICMP attack and Prevention

There are three main types of network attacks by using ICMP Packets: Death Ping, ICMP DoS attacks, and redirection-based route spoofing. I. Death Ping 1.1 attack principle-limits the length of Ethernet packets, ultra-large packet networks adopt multipart transmission. The first part after a packet is split only contains the length of each part. The receiving end reassembles the received part message. The total size of the packet after the packet is split is greater than that of the packet before the fragment. ipprotocol-defined ippacket maximum Size · most processing programs assume that the packet size does not exceed the maximum size · memory block occupied by ultra-large message reorganization is larger than the maximum size of the IP packet · buffer overflow caused by the reorganization process, the system enters a non-stable state. This causes the TCP/IP stack to crash. 1.2 the defense module adds the latest patches to the OS (generally, the Ping vulnerability version that resolves D death. 2. ICMP DoS attacks can be divided into bandwidth DoS and connection DoS based on different attack methods. 2.1 principles of bandwidth-based DoS 2.1.1 attacks-ICMP echo reply indicates that stationery has a high forwarding priority-attackers send a large number of source IP addresses to the attacked host for forgery (nonexistent) ICMP echo request message of the attacker. The host cannot reply to the attacker (echo reply). The bandwidth of the attacker is occupied, failure to respond to normal services this attack method requires that the attack host's processing capability and bandwidth should be greater than the attacked host, otherwise it will be DoS. In addition, a DDoS attack (Smurf attack) can be initiated based on this attack. The specific steps are as follows: 1. the attacker broadcasts the echo request packet to the "amplified network. the attacker specified the source IP address of the broadcast packet as the attacked host. "enlarge the network" and reply echo reply to the attacked host. 4. to form a DDoS attack scenario, here the "Enlarge network" can be understood as a network with many hosts. The operating system of these hosts must support the response of some ICMP request packets whose destination address is the broadcast address. 2.1.2 defense methods for ICMP DoS attacks with bandwidth, you can set an ICMP speed limit or use a firewall to filter illegal ICMP packets. 2.2 connection-related ICMP DoS attacks can terminate existing network connections. DoS attacks against network connections affect all IP devices because they use valid ICMP messages. Nuke terminates a valid network connection by sending a forged ICMP Destination Unreachable or Redirect Message. More malicious attacks, such as puke and smack, will send a large number of packets to a port within a certain range, destroy a large number of network connections, and consume the CPU clock cycle of the affected host. 2.3 ICMP redirection-based route spoofing technology allows attackers to use ICMP redirection packets to destroy the routes and enhance their listening capabilities. Except the router, the host must obey ICMP redirection. If one machine wants another machine in the network to send an ICMP redirection message, this may cause another machine to have an invalid route table. If a machine is disguised as a router that intercepts all IP data packets from some target network or all target networks, then eavesdropping is formed. The ICMP technology can also be used to attack and eavesdrop machines after the firewall. Note: There is no practical application of the redirection route spoofing technology.