ICMP 协议
Common header
0 1 2 4 0 1 2 3 4 5 6 7 8 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 0 1 2 3 4 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Code | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | unused | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Internet Header + 64 bits of Original Data Datagram | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
复制代码
ICMPV4
Type:#ifndef ICMP_ECHOREPLY#define ICMP_ECHOREPLY 0 /* Echo Reply */#endif#ifndef ICMP_DEST_UNREACH#define ICMP_DEST_UNREACH 3 /* Destination Unreachable */#endif#ifndef ICMP_SOURCE_QUENCH#define ICMP_SOURCE_QUENCH 4 /* Source Quench */#endif#ifndef ICMP_REDIRECT#define ICMP_REDIRECT 5 /* Redirect (change route) */#endif#ifndef ICMP_ECHO#define ICMP_ECHO 8 /* Echo Request */#endif#ifndef ICMP_ROUTERADVERT#define ICMP_ROUTERADVERT 9#endif#ifndef ICMP_ROUTERSOLICIT#define ICMP_ROUTERSOLICIT 10#endif#ifndef ICMP_TIME_EXCEEDED#define ICMP_TIME_EXCEEDED 11 /* Time Exceeded */#endif#ifndef ICMP_PARAMETERPROB#define ICMP_PARAMETERPROB 12 /* Parameter Problem */#endif#ifndef ICMP_TIMESTAMP#define ICMP_TIMESTAMP 13 /* Timestamp Request */#endif#ifndef ICMP_TIMESTAMPREPLY#define ICMP_TIMESTAMPREPLY 14 /* Timestamp Reply */#endif#ifndef ICMP_INFO_REQUEST#define ICMP_INFO_REQUEST 15 /* Information Request */#endif#ifndef ICMP_INFO_REPLY#define ICMP_INFO_REPLY 16 /* Information Reply */#endif#ifndef ICMP_ADDRESS#define ICMP_ADDRESS 17 /* Address Mask Request */#endif#ifndef ICMP_ADDRESSREPLY#define ICMP_ADDRESSREPLY 18 /* Address Mask Reply */#endif#ifndef NR_ICMP_TYPES#define NR_ICMP_TYPES 18#endifCode:/* Codes for Type3 UNREACH. */#ifndef ICMP_NET_UNREACH#define ICMP_NET_UNREACH 0 /* Network Unreachable */#endif#ifndef ICMP_HOST_UNREACH#define ICMP_HOST_UNREACH 1 /* Host Unreachable */#endif#ifndef ICMP_PROT_UNREACH#define ICMP_PROT_UNREACH 2 /* Protocol Unreachable */#endif#ifndef ICMP_PORT_UNREACH#define ICMP_PORT_UNREACH 3 /* Port Unreachable */#endif#ifndef ICMP_FRAG_NEEDED#define ICMP_FRAG_NEEDED 4 /* Fragmentation Needed/DF set */#endif#ifndef ICMP_SR_FAILED#define ICMP_SR_FAILED 5 /* Source Route failed */#endif#ifndef ICMP_NET_UNKNOWN#define ICMP_NET_UNKNOWN 6#endif#ifndef ICMP_HOST_UNKNOWN#define ICMP_HOST_UNKNOWN 7#endif#ifndef ICMP_HOST_ISOLATED#define ICMP_HOST_ISOLATED 8#endif#ifndef ICMP_NET_ANO#define ICMP_NET_ANO 9#endif#ifndef ICMP_HOST_ANO#define ICMP_HOST_ANO 10#endif#ifndef ICMP_NET_UNR_TOS#define ICMP_NET_UNR_TOS 11#endif#ifndef ICMP_HOST_UNR_TOS#define ICMP_HOST_UNR_TOS 12#endif#ifndef ICMP_PKT_FILTERED#define ICMP_PKT_FILTERED 13 /* Packet filtered */#endif#ifndef ICMP_PREC_VIOLATION#define ICMP_PREC_VIOLATION 14 /* Precedence violation */#endif#ifndef ICMP_PREC_CUTOFF#define ICMP_PREC_CUTOFF 15 /* Precedence cut off */#endif#ifndef NR_ICMP_UNREACH#define NR_ICMP_UNREACH 15 /* instead of hardcoding immediate value */#endif/* Codes for Type5 REDIRECT. */#ifndef ICMP_REDIR_NET#define ICMP_REDIR_NET 0 /* Redirect Net */#endif#ifndef ICMP_REDIR_HOST#define ICMP_REDIR_HOST 1 /* Redirect Host */#endif#ifndef ICMP_REDIR_NETTOS#define ICMP_REDIR_NETTOS 2 /* Redirect Net for TOS */#endif#ifndef ICMP_REDIR_HOSTTOS#define ICMP_REDIR_HOSTTOS 3 /* Redirect Host for TOS */#endif/* Codes for Type11 TIME_EXCEEDED. */#ifndef ICMP_EXC_TTL#define ICMP_EXC_TTL 0 /* TTL count exceeded */#endif#ifndef ICMP_EXC_FRAGTIME#define ICMP_EXC_FRAGTIME 1 /* Fragment Reass time exceeded */#endif
复制代码
ICMPV6
Type:/** Error Messages: (type <128) */#define ICMP6_DST_UNREACH 1#define ICMP6_PACKET_TOO_BIG 2#define ICMP6_TIME_EXCEEDED 3#define ICMP6_PARAM_PROB 4/** Informational Messages (type>=128) */#define ICMP6_ECHO_REQUEST 128#define ICMP6_ECHO_REPLY 129#define MLD_LISTENER_QUERY 130#define MLD_LISTENER_REPORT 131#define MLD_LISTENER_REDUCTION 132#define ND_ROUTER_SOLICIT 133#define ND_ROUTER_ADVERT 134#define ND_NEIGHBOR_SOLICIT 135#define ND_NEIGHBOR_ADVERT 136#define ND_REDIRECT 137#define ICMP6_RR 138#define ICMP6_NI_QUERY 139#define ICMP6_NI_REPLY 140#define ND_INVERSE_SOLICIT 141#define ND_INVERSE_ADVERT 142#define MLD_V2_LIST_REPORT 143#define HOME_AGENT_AD_REQUEST 144#define HOME_AGENT_AD_REPLY 145#define MOBILE_PREFIX_SOLICIT 146#define MOBILE_PREFIX_ADVERT 147#define CERT_PATH_SOLICIT 148#define CERT_PATH_ADVERT 149#define ICMP6_MOBILE_EXPERIMENTAL 150#define MC_ROUTER_ADVERT 151#define MC_ROUTER_SOLICIT 152#define MC_ROUTER_TERMINATE 153#define FMIPV6_MSG 154#define RPL_CONTROL_MSG 155#define LOCATOR_UDATE_MSG 156#define DUPL_ADDR_REQUEST 157#define DUPL_ADDR_CONFIRM 158#define MPL_CONTROL_MSG 159Code:/** Destination Unreachable Message (type=1) Code: */#define ICMP6_DST_UNREACH_NOROUTE 0 /* no route to destination */#define ICMP6_DST_UNREACH_ADMIN 1 /* communication with destination */ /* administratively prohibited */#define ICMP6_DST_UNREACH_BEYONDSCOPE 2 /* beyond scope of source address */#define ICMP6_DST_UNREACH_ADDR 3 /* address unreachable */#define ICMP6_DST_UNREACH_NOPORT 4 /* bad port */#define ICMP6_DST_UNREACH_FAILEDPOLICY 5 /* Source address failed ingress/egress policy */#define ICMP6_DST_UNREACH_REJECTROUTE 6 /* Reject route to destination *//** Time Exceeded Message (type=3) Code: */#define ICMP6_TIME_EXCEED_TRANSIT 0 /* Hop Limit == 0 in transit */#define ICMP6_TIME_EXCEED_REASSEMBLY 1 /* Reassembly time out *//** Parameter Problem Message (type=4) Code: */#define ICMP6_PARAMPROB_HEADER 0 /* erroneous header field */#define ICMP6_PARAMPROB_NEXTHEADER 1 /* unrecognized Next Header */#define ICMP6_PARAMPROB_OPTION 2 /* unrecognized IPv6 option */
复制代码
ICMP 内嵌
对于 ICMPv4 来说,当 type 为 3--ICMP_DEST_UNREACH,4--ICMP_SOURCE_QUENCH,5--ICMP_REDIRECT,11--ICMP_TIME_EXCEEDED,12--ICMP_PARAMETERPROB 时,ICMPv4 可以内嵌 IPv4+UDP/TCP/ICMPv4,来指示导致差错产生的原始报文 IP,TCP/UDP 头信息
同理,对于 ICMPv6 来说,当 type 为 1--ICMP6_DST_UNREACH,2--ICMP6_PACKET_TOO_BIG,3--ICMP6_TIME_EXCEEDED,4--ICMP6_PARAM_PROB 时,也可以内嵌 IPv6+UDP/TCP/ICMPv6,来指示导致差错产生的原始头部信息
ICMP 攻击
alert icmp any any -> any any (msg:"ET DOS Microsoft Windows 7 ICMPv6 Router Advertisement Flood"; itype:134; icode:0; content:"|03|"; threshold:type threshold, track by_src, count 10, seconds 1; reference:url,http://www.samsclass.info/ipv6/proj/proj8x-124-flood-router.htm; classtype:attempted-dos; sid:2014996; )
Smurf 方式把源 IP 设置为受害者 IP,然后向多台服务器发送 ICMP 报文(通常是 ECHO 请求),这些接收报文的服务器被报文欺骗,向受害者返回 ECHO 应答(Type=0),导致垃圾阻塞受害者的门口
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Broadscan Smurf Scanner"; dsize:4; icmp_id:0; icmp_seq:0; itype:8; classtype:attempted-recon; sid:2100478; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
alert icmp any any -> any any (msg:"SURICATA ICMPv4 invalid checksum"; icmpv4-csum:invalid; classtype:protocol-command-decode; sid:2200076; rev:2;)
alert icmp any any -> any any (msg:"SURICATA ICMPv6 invalid checksum"; icmpv6-csum:invalid; classtype:protocol-command-decode; sid:2200079; rev:2;)
利用这点可以进行攻击和网络窃听。如果目某主机 A 支持 ICMP 重定向,那么主机 B 发一个 IMCP 重定向给它,以后它发出的所有到指定地址的报文都会转发主机 B,这样 B 就可以达到窃听目的了或者该主机按照黑客的要求来修改路由表。
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Redirect for TOS and Host"; icode:3; itype:5; classtype:misc-activity; sid:2100436; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
Suricata 涉及到匹配的 Option
itype:[<|>|<>]<number>;
Example This example looks for an ICMP type greater than 10: itype:>10;
2. icode:[<|>|<>]<number>;Example: This example looks for an ICMP code greater than 5: icode:>5;
3. icmp_id:<number>;Example: This example looks for an ICMP ID of 0: icmp_id:0;
4. icmp_seq:<number>;Example: This example looks for an ICMP Sequence of 0: icmp_seq:0;
5. icmpv6-csum:<valid/invalid>;
6. icmpv4-csum:<valid/invalid>;
Reference
完全理解ICMP协议
RFC792
rfc4443
RFC6633
RFC1256
RFC6918
RFC2521
RFC4065
RFC8335
RFC4727
评论