1

For security reasons, many organizations do not allow error reply messages to leave their internal Internets. How, specifically, could hackers use information in echo reply messages to learn about the firm's internal hosts? Does the same thing apply to ping requests?

TildalWave
  • 10,801
  • 11
  • 45
  • 84
user20998
  • 11
  • 1
  • 1
    Is this a question about networking in general and ICMP messages in particular? Should the scope of the question include TCP RST packets? (and appropriate tagging) Also, should your first sentence read "echo reply" rather than "error reply"? I created a suggested edit for your approval. – Ladadadada Feb 21 '13 at 08:50
  • icmp message in particular. the question is why error reply are not displayed and what the hackers extract from these messages – user20998 Feb 21 '13 at 09:10

1 Answers1

2

ICMP was designed to help determine characteristics of the network. PING is an application of ICMP.

ICMP has two modes of operation:

  • Query the network by requesting packets and interpreting the answer
  • Report non-transient error conditions through error messages

The errors are produced in special conditions such as:

  • Network is unreachable: this would help map the network.
  • Host is unreachable: would show what hosts are online
  • Protocol unreachable: shows what protocols are supported
  • Port unreachable: some servers would indicate through this error message that no process is listening on that port
  • The datagram is too big: would show what technology is used in the network.
  • And many others, for example to differentiate between the Linux kernel and that of the networking device, ICMP Error Quoting size fingerprinting method can be used.

By using ICMP messages and errors it is possible to gather substantial information about the network:

  • Host Detection
  • Network Topology
  • ACL Detection
  • Packet Filter Detection
  • OS Fingerprinting

ICMP error messages are not typically involved in directly attacking the network but would greatly help an attacker understand more about the network and know how and where to attack. Therefore this information should not leave the network because it should not be available to people outside the network.

Cristian Dobre
  • 9,797
  • 1
  • 30
  • 50
  • +1 Pretty good overview. ICMP messages could be used for reconnaissance and could allow an attacker to gain knowledge of network topology, ACLs, packet filters, hosts, OS,... information you normally wouldn't want in the wrong hands. A more detailed description can be found in the [SANS' Intrusion Detection FAQ: How can attacker use ICMP for reconnaissance?](http://www.sans.org/security-resources/idfaq/icmp_misuse.php). Cheers! – TildalWave Feb 21 '13 at 09:28