We are often asked about ICMP, and how it should be managed on a network. We hope this How To will explain this protocol a little and provide some initial guidance.
What is ICMP?
The Internet Control Message Protocol (ICMP) is part of Layer 3, not Layer 4 TCP, and it’s not UDP. ICMP provides a way for Layer 3 to exchange messages between network entities. However, ICMP is critical to the functionality of any IP network such as your corporate network or the Internet. In an IPv4 network, ICMP’s primary job is to report errors on the network, but has other functions as well. In an IPv6 network, ICMP takes a much more important role. In this How To, we will stick to IPv4.
While ICMP is required for IP network traffic redirection and pinging hosts on your LAN or WAN, ICMP can also pose a security concern.
The Internet Control Message Protocol (ICMP) is based on RFC 792 and is used to send IP network errors and diagnostic messages. As the name of the protocol infers, it is a protocol that manages the IP network. ICMP is used to communicate things like “host unavailable” and other errors. For most end users, ICMP is most well known as being used to ping a host on your network. Depending on the version of traceroute used, ICMP may or may not be used for traceroute as well.
What most people do not know is that coded into the protocol are 42 types of ICMP traffic (you can view each of them at the IANA ICMP parameters site). For example, for a ping to work, your host needs to be able to send an ICMP echo (type 8); the host you are pinging needs to be able to receive the echo; that host needs to be able to send an ICMP echo reply (type 0); and your host needs to be able to receive it for your ping program to be able to respond that the host is alive (and a round trip time for that ping). Like UDP, ICMP traffic is an unreliable protocol with no guaranteed delivery.
What are the security issues with ICMP traffic?
On the typical Layer 2 Ethernet LAN, ICMP traffic is typically unrestricted. Depending on the level of internal network security that you require, you may want to filter ICMP traffic on your LAN between subnets (regardless of the Internet). As ICMP traffic from a malicious attacker can be used to bring down your network, ICMP traffic needs to be strictly filtered when coming in from the Internet and, perhaps, when going out to the Internet.
ICMP traffic can be used not only to discover hosts on your network, but also to flood your network with traffic. A full list of ICMP attacks can be found here. By not restricting the type and flow of ICMP traffic from the Internet, you increase the potential for a denial of service (DoS) attack by allowing ICMP traffic to flood your network and affect service to all network traffic from the servers.
To prevent these types of attacks, there are various solutions. Commonly, ICMP traffic is filtered with a firewall. That firewall could be a Cisco PIX, ASA, or a Cisco IOS router. Now, let’s take a look at how Cisco IOS ACLs can be used to filter ICMP traffic.
How can I filter ICMP traffic?
When creating Cisco IOS ACLs, many admins start out with either:
access-list 101 deny ip …
access-list 101 deny tcp …
While these may be the two most common ways to filter network traffic with Cisco IOS extended ACLs, neither of these will work to filter ICMP because they are looking at Layer 4 details and ICMP is running at Layer 3. Additionally, no standard access list will work for ICMP specifically.
To filter ICMP traffic, you need to use an extended access list and start with something like this:
access-list 101 deny icmp …
You can see all the ICMP filtering options that can be used with a Cisco IOS ACL by following this link.
Filtering ICMP inbound and outbound traffic both to your network and the Internet are important, but the most important of the two is to properly filter ICMP inbound to protect your network.
Protecting a network from attack isn’t as simple as adding a few network access-lists. In fact, there are entire books you can buy (like Cisco Press Network Security Technologies and Solutions); there are guides you can download (like the NSA Router Security Guide); and there are certifications you can pursue (like the Cisco CCSP). We say that because the following ICMP inbound filtering ACLs are examples of how to filter ICMP to block certain traffic – but not necessarily the only ones that will “secure your network.”
In the following inbound ACL filtering example, we are filtering ICMP echo, redirect, and mask-requests, while allowing other types:
Router(config)# access-list 100 deny icmp any any echo log
Router (config)# access-list 100 deny icmp any any redirect log
Router (config)# access-list 100 deny icmp any any mask-request log
Router (config)# access-list 100 permit icmp any 188.8.131.52 0.0.0.255
Of course, the ACL must be applied to your interface in the “in” direction.
You may also want to use an ICMP ACL to throttle ICMP traffic that could cause a DoS attack. Here is an example from the NSA Cisco Router Security Guide:
Router(config)# access-list 131 permit icmp any any echo
Router(config)# access-list 131 permit icmp any any echo-reply
Router(config)# interface eth0/0
Router(config-if)# rate-limit output access-group 131 16000 8000 8000 conform-action continue exceed-action drop
In this example, any ICMP echo or echo-reply traffic will be allowed until it exceeds 16K, at which point it will be dropped.
Bottom Line: Be careful with ICMP
ICMP traffic is critical network traffic, but it can also cause security issues if used against your network by a malicious attacker. A network administrator must be careful with ICMP, allowing necessary ICMP traffic and managing all else.
We hope this helps you to understand and implement an initial approach to ICMP in your IPv4 network.