ICMP协议
Common header
0 1 2 4
0 1 2 3 4 5 6 7 8 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 0 1 2 3 4
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Code | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| unused |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Internet Header + 64 bits of Original Data Datagram |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ICMPV4
Type:
#ifndef ICMP_ECHOREPLY
#define ICMP_ECHOREPLY 0 /* Echo Reply */
#endif
#ifndef ICMP_DEST_UNREACH
#define ICMP_DEST_UNREACH 3 /* Destination Unreachable */
#endif
#ifndef ICMP_SOURCE_QUENCH
#define ICMP_SOURCE_QUENCH 4 /* Source Quench */
#endif
#ifndef ICMP_REDIRECT
#define ICMP_REDIRECT 5 /* Redirect (change route) */
#endif
#ifndef ICMP_ECHO
#define ICMP_ECHO 8 /* Echo Request */
#endif
#ifndef ICMP_ROUTERADVERT
#define ICMP_ROUTERADVERT 9
#endif
#ifndef ICMP_ROUTERSOLICIT
#define ICMP_ROUTERSOLICIT 10
#endif
#ifndef ICMP_TIME_EXCEEDED
#define ICMP_TIME_EXCEEDED 11 /* Time Exceeded */
#endif
#ifndef ICMP_PARAMETERPROB
#define ICMP_PARAMETERPROB 12 /* Parameter Problem */
#endif
#ifndef ICMP_TIMESTAMP
#define ICMP_TIMESTAMP 13 /* Timestamp Request */
#endif
#ifndef ICMP_TIMESTAMPREPLY
#define ICMP_TIMESTAMPREPLY 14 /* Timestamp Reply */
#endif
#ifndef ICMP_INFO_REQUEST
#define ICMP_INFO_REQUEST 15 /* Information Request */
#endif
#ifndef ICMP_INFO_REPLY
#define ICMP_INFO_REPLY 16 /* Information Reply */
#endif
#ifndef ICMP_ADDRESS
#define ICMP_ADDRESS 17 /* Address Mask Request */
#endif
#ifndef ICMP_ADDRESSREPLY
#define ICMP_ADDRESSREPLY 18 /* Address Mask Reply */
#endif
#ifndef NR_ICMP_TYPES
#define NR_ICMP_TYPES 18
#endif
Code:
/* Codes for Type3 UNREACH. */
#ifndef ICMP_NET_UNREACH
#define ICMP_NET_UNREACH 0 /* Network Unreachable */
#endif
#ifndef ICMP_HOST_UNREACH
#define ICMP_HOST_UNREACH 1 /* Host Unreachable */
#endif
#ifndef ICMP_PROT_UNREACH
#define ICMP_PROT_UNREACH 2 /* Protocol Unreachable */
#endif
#ifndef ICMP_PORT_UNREACH
#define ICMP_PORT_UNREACH 3 /* Port Unreachable */
#endif
#ifndef ICMP_FRAG_NEEDED
#define ICMP_FRAG_NEEDED 4 /* Fragmentation Needed/DF set */
#endif
#ifndef ICMP_SR_FAILED
#define ICMP_SR_FAILED 5 /* Source Route failed */
#endif
#ifndef ICMP_NET_UNKNOWN
#define ICMP_NET_UNKNOWN 6
#endif
#ifndef ICMP_HOST_UNKNOWN
#define ICMP_HOST_UNKNOWN 7
#endif
#ifndef ICMP_HOST_ISOLATED
#define ICMP_HOST_ISOLATED 8
#endif
#ifndef ICMP_NET_ANO
#define ICMP_NET_ANO 9
#endif
#ifndef ICMP_HOST_ANO
#define ICMP_HOST_ANO 10
#endif
#ifndef ICMP_NET_UNR_TOS
#define ICMP_NET_UNR_TOS 11
#endif
#ifndef ICMP_HOST_UNR_TOS
#define ICMP_HOST_UNR_TOS 12
#endif
#ifndef ICMP_PKT_FILTERED
#define ICMP_PKT_FILTERED 13 /* Packet filtered */
#endif
#ifndef ICMP_PREC_VIOLATION
#define ICMP_PREC_VIOLATION 14 /* Precedence violation */
#endif
#ifndef ICMP_PREC_CUTOFF
#define ICMP_PREC_CUTOFF 15 /* Precedence cut off */
#endif
#ifndef NR_ICMP_UNREACH
#define NR_ICMP_UNREACH 15 /* instead of hardcoding immediate value */
#endif
/* Codes for Type5 REDIRECT. */
#ifndef ICMP_REDIR_NET
#define ICMP_REDIR_NET 0 /* Redirect Net */
#endif
#ifndef ICMP_REDIR_HOST
#define ICMP_REDIR_HOST 1 /* Redirect Host */
#endif
#ifndef ICMP_REDIR_NETTOS
#define ICMP_REDIR_NETTOS 2 /* Redirect Net for TOS */
#endif
#ifndef ICMP_REDIR_HOSTTOS
#define ICMP_REDIR_HOSTTOS 3 /* Redirect Host for TOS */
#endif
/* Codes for Type11 TIME_EXCEEDED. */
#ifndef ICMP_EXC_TTL
#define ICMP_EXC_TTL 0 /* TTL count exceeded */
#endif
#ifndef ICMP_EXC_FRAGTIME
#define ICMP_EXC_FRAGTIME 1 /* Fragment Reass time exceeded */
#endifICMPV6
Type:
/** Error Messages: (type <128) */
#define ICMP6_DST_UNREACH 1
#define ICMP6_PACKET_TOO_BIG 2
#define ICMP6_TIME_EXCEEDED 3
#define ICMP6_PARAM_PROB 4
/** Informational Messages (type>=128) */
#define ICMP6_ECHO_REQUEST 128
#define ICMP6_ECHO_REPLY 129
#define MLD_LISTENER_QUERY 130
#define MLD_LISTENER_REPORT 131
#define MLD_LISTENER_REDUCTION 132
#define ND_ROUTER_SOLICIT 133
#define ND_ROUTER_ADVERT 134
#define ND_NEIGHBOR_SOLICIT 135
#define ND_NEIGHBOR_ADVERT 136
#define ND_REDIRECT 137
#define ICMP6_RR 138
#define ICMP6_NI_QUERY 139
#define ICMP6_NI_REPLY 140
#define ND_INVERSE_SOLICIT 141
#define ND_INVERSE_ADVERT 142
#define MLD_V2_LIST_REPORT 143
#define HOME_AGENT_AD_REQUEST 144
#define HOME_AGENT_AD_REPLY 145
#define MOBILE_PREFIX_SOLICIT 146
#define MOBILE_PREFIX_ADVERT 147
#define CERT_PATH_SOLICIT 148
#define CERT_PATH_ADVERT 149
#define ICMP6_MOBILE_EXPERIMENTAL 150
#define MC_ROUTER_ADVERT 151
#define MC_ROUTER_SOLICIT 152
#define MC_ROUTER_TERMINATE 153
#define FMIPV6_MSG 154
#define RPL_CONTROL_MSG 155
#define LOCATOR_UDATE_MSG 156
#define DUPL_ADDR_REQUEST 157
#define DUPL_ADDR_CONFIRM 158
#define MPL_CONTROL_MSG 159
Code:
/** Destination Unreachable Message (type=1) Code: */
#define ICMP6_DST_UNREACH_NOROUTE 0 /* no route to destination */
#define ICMP6_DST_UNREACH_ADMIN 1 /* communication with destination */
/* administratively prohibited */
#define ICMP6_DST_UNREACH_BEYONDSCOPE 2 /* beyond scope of source address */
#define ICMP6_DST_UNREACH_ADDR 3 /* address unreachable */
#define ICMP6_DST_UNREACH_NOPORT 4 /* bad port */
#define ICMP6_DST_UNREACH_FAILEDPOLICY 5 /* Source address failed ingress/egress policy */
#define ICMP6_DST_UNREACH_REJECTROUTE 6 /* Reject route to destination */
/** Time Exceeded Message (type=3) Code: */
#define ICMP6_TIME_EXCEED_TRANSIT 0 /* Hop Limit == 0 in transit */
#define ICMP6_TIME_EXCEED_REASSEMBLY 1 /* Reassembly time out */
/** Parameter Problem Message (type=4) Code: */
#define ICMP6_PARAMPROB_HEADER 0 /* erroneous header field */
#define ICMP6_PARAMPROB_NEXTHEADER 1 /* unrecognized Next Header */
#define ICMP6_PARAMPROB_OPTION 2 /* unrecognized IPv6 option */ICMP内嵌
- 对于ICMPv4来说,当type为3--ICMP_DEST_UNREACH,4--ICMP_SOURCE_QUENCH,5--ICMP_REDIRECT,11--ICMP_TIME_EXCEEDED,12--ICMP_PARAMETERPROB时,
ICMPv4可以内嵌IPv4+UDP/TCP/ICMPv4,来指示导致差错产生的原始报文IP,TCP/UDP头信息 - 同理,对于ICMPv6来说,当type为1--ICMP6_DST_UNREACH,2--ICMP6_PACKET_TOO_BIG,3--ICMP6_TIME_EXCEEDED,4--ICMP6_PARAM_PROB时,也可以内嵌IPv6+UDP/TCP/ICMPv6,来指示导致差错产生的原始头部信息
ICMP攻击
- ICMPv6 Flood
alert icmp any any -> any any (msg:"ET DOS Microsoft Windows 7 ICMPv6 Router Advertisement Flood"; itype:134; icode:0; content:"|03|"; threshold:type threshold, track by_src, count 10, seconds 1; reference:url, http://www.samsclass.info/ipv6/proj/proj8x-124-flood-router.htm; classtype:attempted-dos; sid:2014996; )
- ICMP Smurf Scan
Smurf方式把源IP设置为受害者IP,然后向多台服务器发送ICMP报文(通常是ECHO请求),这些接收报文的服务器被报文欺骗,向受害者返回ECHO应答(Type=0),导致垃圾阻塞受害者的门口
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Broadscan Smurf Scanner"; dsize:4; icmp_id:0; icmp_seq:0; itype:8; classtype:attempted-recon; sid:2100478; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
- ICMP Invalid checksum
alert icmp any any -> any any (msg:"SURICATA ICMPv4 invalid checksum"; icmpv4-csum:invalid; classtype:protocol-command-decode; sid:2200076; rev:2;)
alert icmp any any -> any any (msg:"SURICATA ICMPv6 invalid checksum"; icmpv6-csum:invalid; classtype:protocol-command-decode; sid:2200079; rev:2;)
- ICMP Redirct
利用这点可以进行攻击和网络窃听。如果目某主机A支持ICMP重定向,那么主机B发一个IMCP重定向给它,以后它发出的所有到指定地址的报文都会转发主机B,这样B就可以达到窃听目的了或者该主机按照黑客的要求来修改路由表。
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Redirect for TOS and Host"; icode:3; itype:5; classtype:misc-activity; sid:2100436; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
Suricata涉及到匹配的Option
- itype:[<|>|<>]<number>;
Example This example looks for an ICMP type greater than 10: itype:>10;
2. icode:[<|>|<>]<number>;
Example: This example looks for an ICMP code greater than 5: icode:>5;
3. icmp_id:<number>;
Example: This example looks for an ICMP ID of 0: icmp_id:0;
4. icmp_seq:<number>;
Example: This example looks for an ICMP Sequence of 0: icmp_seq:0;
5. icmpv6-csum:<valid/invalid>;
6. icmpv4-csum:<valid/invalid>;
Reference
完全理解ICMP协议
RFC792
rfc4443
RFC6633
RFC1256
RFC6918
RFC2521
RFC4065
RFC8335
RFC4727
