[prev] [prev-tail] [tail] [up]

4 Non TCP/IP protocols

Some networking protocols, such as ICMP (internet control message protocol) are not TCP based. As a result, these protocols do not show up in nmap or netstat.

ICMP is useful for a few purposes. For example ping relies on ICMP to check the existence of an interface using the “echo” request and reply messages. ICMP is also used by traceroute to figure out all the stops from one node to another. This is done by setting the TTL (time to live) field in consecutive numbers and use the “destination unreachable” response as the TTL runs out.

Although ICMP is a useful protocol, it can also make a system vulnerable. For example, a successful ping reply is a confirmation to a would-be hacker that an IP address is live. Without the confirmation of ping, an automated attack system may decide to skip the IP address because port scanning an IP address takes significantly more time.

Furthermore, ICMP also makes certain exploitations possible. Although a Smurf attack is based on broadcast ICMP ping messages.

To check a Linux machine for ping response, execute the following command:

ping localhost  
  

If the command responds with successful results, the machine is responding to ICMP ping messages. Successful results should look like the following:

PING localhost (127.0.0.1) 56(84) bytes of data.  
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.018 ms  
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.013 ms  
64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.015 ms  
  

You can also check with the traceroute command, execute the following command:

traceroute localhost  
  

A successful result looks like the following:

traceroute to localhost (127.0.0.1), 30 hops max, 60 byte packets  
 1  localhost (127.0.0.1)  0.018 ms  0.005 ms  0.005 ms  
  

To disable a Linux machine from responding to a ping request, append these lines in /etc/sysctl.conf:

net.ipv4.icmp_echo_ignore_broadcasts = 1  
net.ipv4.icmp_echo_ignore_all = 1  
  

Then, as root, execute the following command:

sysctl -p  
  

After this, check with the ping command again. It should appear to get stuck for some time. Type “control-C” to stop the program. The previous operation will stop a machine from responding to ICMP ping requests even after a reboot.

Stopping a machine from responding to traceroute requires a little more work. It will require the proper configuration of iptables. That will be discussed in another module. However, for the time being, you can use the following command (assuming eth0 is the network interface):

iptables -A OUTPUT -p ICMP -o eth0 --icmp-type destination-unreachable -j DROP  
  

This change, however, is not persistant. After the system reboots, it will respond to traceroute probes again.

[prev] [prev-tail] [front] [up]