ICMP or Internet Control Message Protocol was designed and included in the TCP/IP protocol stack as a troubleshooting tool that can provide feedback to networked devices either for status information or when problems such as network routing failures occur. This protocol has also been used as an attack tool to facilitate mapping target networks, DoS or Denial of Service attacks, and other forms of reconnaissance and malicious activity from which networks must be protected. It is important to note that blocking all such packets on a network is not recommended because certain network functionality cannot operate properly without ICMP. However, with proper ICMP filtering, a balance of security and functionality can be attained.

Threat Modeling: Designing for Security
Amazon Price: $60.00 $21.98 Buy Now
(price as of Jul 6, 2015)

Type 8 Echo Reply

Echo Reply is probably the most commonly used and familiar type of ICMP. These packets are used extensively to determine whether or not hosts are active. However, these packets are also used maliciously to map networks and determine which hosts are available for attack. In addition, they can facilitate DoS by flooding networks with so many echo requests that the target servers and/or connections to the servers fail. For this reason it is recommended to block incoming echo requests and allow only outbound initiated requests (for troubleshooting) from within private networks.

Type 5 Redirect Messages

Redirect messages are sent by routers when other routers along the same path have a better route for the packets received. However, redirect messages can be used maliciously to subvert routing tables and enable IP address spoofing issues. Since redirect messages are required, routers and IP connected devices should be configured to send these messages and then deny receipt of the same when sent from unknown sources.

Type 9 Router Advertisements

Router Advertisement packets are designed to enable local hosts to find routers on the local network only. Since these packets could be used for a DoS (Denial of Service) attack by flooding WAN and LAN connections, both ingress and egress paths should be configured to block these messages.

Type 13 Timestamp Requests

Timestamp Request messages are designed for determining the local time on local or remote IP based hosts. Unfortunately, ICMP Type 13 packets can also be used as an alternative to Type 8 packets as a hacker reconnaissance and mapping tool. Since ICMP Type 13 messages provide only non-essential informational services, this type of ICMP message should be blocked on both outbound and inbound paths.

Type 17 Address Mask Requests

Address Mask Request and Reply messages are designed to enable  hosts to determine the subnet of another host or interface. However, these messages are not absolutely necessary for  functionality and can be used by attackers malicious purposes as a mapping and reconnaissance tool. Since these messages are informational and not necessary, they should be blocked both outbound and inbound to the network.

By configuring networks to block the above ICMP messages (as specified) organizations can ensure a safer, more secure network.