Vulnerability Development mailing list archives
Re: ICMP and BlackICE (fwd)
From: James Robbins <robbins.7 () OSU EDU>
Date: Fri, 8 Sep 2000 11:42:16 -0400
At 08:53 AM 9/8/00, Jim Wildman wrote: >I've found that out as well. For instance, aggressive icmp blocking >breaks www.four11.com. > >But which ones? OK, here is the long answer. This is from a web page I'm trying to set up which will show the packet formats in graphical format. Sorry for the incompleteness of the information or for any errors. If you see any corrections that need to be made please let me know. I put this together just to try to get all the info of interest to me in one spot. Also, I should point out that blocking Echo doesn't do much good when someone can use one of several other methods to see if there is a machine active on a given address. Anyway, here is the info with the graphics cut out: ICMP DATAGRAM FORMAT: (this is the data field in the IP datagram) Type The contents of the Type Field is given in the following table: Type Field ICMP Datagram Type 0 Echo Reply 3 Destination Unreachable 4 Source Quench 5 Redirect (change a route) 8 Echo Request 11 Time Exceeded for a Datagram 12 Parameter Problem on a Datagram 13 Timestamp Request 14 Timestamp Reply 15 Information Request 16 Information Reply 17 Address Mask Request 18 Address Mask Reply Following are the specific ICMP Datagram formats for each type: ECHO REQUEST / ECHO REPLY (Ping) For Echo Request or Echo Reply the Code field is always 0. The Identifier and Sequence Number fields are used to match up requests and replies. The contents of the Optional Data field are returned to the sender unchanged by the receiver. UNREACHABLE DESTINATION This message is sent when a datagram cannot be delivered. The Code field is given in the following table: Code Meaning 0 Network Unreachable 1 Host Unreachable 2 Protocol Unreachable 3 Port Unreachable 4 Fragmentation needed and "Don't Fragment Bit" is set 5 Source Route Failed The message also returns the header and first 64 bits of the datagram for identification and error analysis. SOURCE QUENCH (Datagram Flow Control) If machine cannot keep up with the rate that a source is sending datagrams, it sends a Source Quench message to the sender to ask the sender to slow down. Usually one Source Quench message is sent for every datagram that must be discarded. REDIRECT (Route Change Requests From Gateways) This message is used to change routing tables in various machines. The value of the Code field can be: CODE Meaning 0 Redirect datagrams for the Net 1 Redirect datagrams for the Host 2 Redirect datagrams for the Type of Service and the Net 3 Redirect datagrams for the Type of Service and the Host TIME EXCEEDED for a DATAGRAM Sent when the Time To Live count of a datagram reaches zero and the machine that is handling it discards it. The Code field is set to: 0 for a time to live count exceeded error and 1 for a fragment reassembly time exceeded error. PARAMETER PROBLEM This message is sent if a problem is encountered with an illegal value in a header field. The Pointer field points to the octet of the datagram header that caused the problem. TIMESTAMP REQUEST / REPLY The Identifier and Sequence Fields are used to associate specific replies with the request that prompted them. The Originator Timestamp field is filled in by the originator of the request. The Receiver Timestamp is filled in immediately upon receipt of the request at the destination. The Transmitter Timestamp is filled in immediately before the destination machine returns the reply. INFORMATION REQUEST / REPLY (Obtaining a Network Address) This message is somehow used to obtain the IP address of another machine on the network. It is used as an alternative to RARP. The Identifier and Sequence fields are used to associate specific requests with their replies. ADDRESS MASK REQUEST / REPLY This message is used to obtain a subnet mask for the network. It may be sent directly to the gateway or sent as a broadcast. -- James A. Robbins Senior Design Engineer, Network Engineer The Ohio State University Chemistry Department
Current thread:
- ICMP and BlackICE (fwd) anon6774 (Sep 06)
- Re: ICMP and BlackICE (fwd) James Robbins (Sep 07)
- Re: ICMP and BlackICE (fwd) Brian M Brotschi (Sep 08)
- Re: ICMP and BlackICE (fwd) Jim Wildman (Sep 08)
- Message not available
- Re: ICMP and BlackICE (fwd) James Robbins (Sep 12)
- Re: ICMP and BlackICE (fwd) James Robbins (Sep 07)