INTERNET CONTROL AND MESSAGE PROTOCOL - VULNERABILITIES, ATTACKS &

COUNTERMEASURES
RAMAN PAL (rp5g09@ecs.soton.ac.uk)
rp5g09@ecs.soton.ac.uk)
SCHOOL OF ELECTRONICS & COMPUTER SCIENCES
SCIENCES,
ES, UNIVERSITY OF SOUTHAMPTON

attacks [4]. ICMP is conventionally assigned for two

ABSTRACT
The purpose of this literature search is to provide
information about Vulnerabilities & Attack
mechanism which is prevalent on the Internet World
for Denial Of Service (DOS) Attacks & Distributed-
Denial Of Service Attacks (DDOS), using Internet
Control Message Protocol (ICMP). How ICMP can
simply be used to Network Scanning? DOS DDOS
Attacks & Network Scanning are the hacking
techniques which are exploiting the Security
Loopholes & Vulnerabilities in the protocol.
My Literature Search would be an effort to
summarize the research work carried out in this field
and the Countermeasures that are proposed and
taken to curb this scenario.
The detailed description of the Vulnerabilities
present, Attacks possible and Countermeasures
suggested and taken is out of scope of this literature
search and would be presented in the Technical
Report later on.
INTRODUCTION
In recent years, much notice and concern have been
paid in securing the Internet infrastructure. The
general accessibility makes the public networks
subject to various network-based attacks.
types of operations [5]:
• Reporting non-transient error conditions
(ICMP Error Messages).
• Query the network with request and reply
(ICMP Query Messages).
IMPACTS OF DoS/DDoS
ATTACKS
Denial of Service (DoS) and Distributed Denial of
Service (DDoS) are among the most aggressive
Internet security problems [1].
The monetary losses caused by the DOS/DDOS
attacks claims more than 60% of the total loss [3].
The impact of DDoS attacks can vary from minor
difficulty to users of a Web site to serious financial
losses for companies that rely on their online
availability to do business. On February 9, 2000,
Yahoo, eBay, Amazon.com, E*Trade, ZDnet,
Buy.com, the FBI, and several other web sites fell
victim to DDoS attacks resulting in considerable
damage and trouble [6].
From December 2005 to January 2006, 1500 separate
IP addresses were victims of DDoS attacks, with
some attacks using traffic rates as high as 10 Gb/s
[7].

Among various DoS/DDoS attacks, easily constituted

and highly destructive attacks are ICMP exploited
 host and then finds out the corresponding
TYPES OF ATTACKS WITH type of OS by detecting the value of the
ICMP corresponding field and consulting the
fingerprint database.[8]
1) DATA COLLECTION
A DENIAL OF SERVICE (DoS) attack
1.1) LIVE HOST DETECTION
plans to deny access of legal users to shared services
1.2) OS RECOGNITION
or resources. On the Internet, a DoS attack aims to
2) DoS (Denial of Service) disrupt the service provided by a network or a server.
3) DDoS (Distributed Denial of A DoS attacker sends huge volumes of useless traffic
Service) to engage all the resources that could service
legitimate traffic, which is very challenging to
prevent. Any targets can be attacked simply because
they are connected to the public Internet [2].
EXPLANATION TO THE
When the same attack is performed from multiple
ATTACK TYPES
sources it DISTRIBUTED
is called as
HOST DETECTION USING ICMP:- DENIAL OF SERVICE (DDos) Attack.
When using ICMP for host detection, Ping is the Most of the times when DDoS attacks are done, the
most frequently used method for single host, Fping multiple sources of attack are not owned by the
(fast ping) for multiple hosts and broadcast Ping for attacker himself. These are the compromised
all the hosts on a subnet. If the target responds to machines(Zombies) controlled by the attacker from a
these methods, it shows that the host is alive. remote location to do DDoS attack or perform other
Otherwise, the host is switched off or a firewall has Cyber Crimes using the machines not owned by
been set up and access is forbidden.[8] him.[2]

COUNTERMEASURES
OS DETECTION USING ICMP:- OS 1) ICMP WINDOW RESTRICTION
detection using ICMP can be done by two ways
namely Active Detection and Passive Detection.[8]
SCHEME.[5]
2) STORE, CHECK AND
FORWARD STARTEGY.[5]
Active OS detection means that the 3) ICMP-TRACEBACK
source host sends specified type of date MECHANISM.[2],[9],[11],[12],[13].
packets to the target host. Certain field of
these data packets includes the
4) GLOBAL-DEFENSE-
characteristics of the OS. The returned INFRASTURCTURE FOR
packets can show the type of the OS DETECTING DoS/DDOS[10],[14]
or specify the OS by comparing the OS
fingerprint database with the corresponding
value of certain field in FURTHER READING…
the data packets.[8]
Internet Engineering Task Force Articles and Review
While in the Passive OS Detection paper would be good for read to get updates about
system, the source host does not need to Information Security. http://www.ietf.org/
send detective data packets. It passively
hunts reports sent and received by the target
EC-Council’s Articles & Releases would be good
source of information regarding the latest updates in
Information Security. http://www.eccouncil.org/
REFERENCES
Collaborative Environment- A Survey on DDoS Attack
Tools and Traceback Mechanisms.”
[12] Alex C. Snoeren, et al., "Hash-Based IP
Traceback", ACM Sigcomm, Aug. 2001, pp. 3-14.

[13] D. Dean, M. Franklin, and A. Stubblefield, "An

[1] Shigang C., Wenliang, D. (2005). "Stateful DDoS
algebraic approach to IP Traceback", Network and
attacks and targeted filtering." Journal of Network
Distributed System Security Symposium, Feb. 2001,
and Computer Applications, Vol. 30: pp. 823-840.
pp. 3-12.
[2] Alireza Izaddoost, Mohamed Othman, Mohd.
[14] K. Wan “An Infrastructure To Defend Against
Fadlee A Rasid.”ACCURATE ICMP TRACEBACK
Distributed Denial of Service Attack” M.Sc. Thesis,
MODEL UNDER DoS/DDoS ATTACK”.
The Hong Kong Polytechnic University. June 2001.
[3] Lawrence A. Gordon, Martin P. Loeb, William
Lucyshyn and Robert Richardson.”CSI/FBI
COMPUTER CRIME AND SECURITY SURVEY”,2006.

[4] Kumar. S, “Smurf-based Distributed Denial of

Service (DDoS) Attack Amplification in Internet”,
Second International Conference on Internet
Monitoring and Protection ICIMP, July 2007,pp.25 –
25.

[5] J. Udhayan, R.Anitha “Demystifying and Rate

Limiting ICMP hosted DoS/DDoS Flooding Attacks
with Attack Productivity Analysis.

[6] Garber, L. (2000). "Denial-of-service attacks rip

the Internet."IEEE Computer, Vol. 33: pp.12-17.

[7] Tao,P., Kotagiri,R.,(2007)."Survey of Network -

Based Defense Mechanisms Countering the DoS and
DDoS Problems." ACM Computing Surveys, Vol. 39,
No. 1, Article3.

[8] JIANG Wei-hua, LI Wei-hua, DUJ un. “The

Application of ICMP Protocol in Network Scanning”.

[9] Allison Mankin, Dan Massey ,Chien-Lung Wu,

S.Felix Wu, Lixia Zhang “On Design and Evaluation of
“Intention Driven” ICMP Traceback”.

[10]Kalman K. K. Wan and Rocky K. C. Chang,

“Engineering Of A Global Defense Infrastructure For
DDoS Attacks”.

[11] Arun Raj Kumar, P. and S. Selvakumar

“Distributed Denial-of-Service Threat in