IMPORTANT: Per accedir als fitxer de subversion: http://acacha.org/svn (sense password). Poc a poc s'aniran migrant els enllaços. Encara però funciona el subversion de la farga però no se sap fins quan... (usuari: prova i la paraula de pas 123456)

ICMP

El Internet Control Message Protocol:

  • No funciona sense el protcol IP.

S'utilitza indirectament amb comandes de xarxa (ping, traceroute)

Si usem IPv6 tendriem que usar el ICMP6, igual que amb les comandes (ping6).

El protocol ICMP forma part de la capa 4 del nivell OSI i nivell 3 del model TCP/IP. (Internet), ja que necessites internet per a ICMP. És transporta usant el protocol IP, no necessita TCP o UDP.

Capçalera ICMP

Ocupa 8 bytes (64 bits).

Bits 0–7 8–15 16–23 24–31
0 Type Code Checksum
32 Rest of Header

Parts d'un paquet ICMP.

  • ICMP Type: Indica el tipus de missatge. 1 byte, 8 bits, 256 tipus de paquets possibles.
  • ICMP Code: Indica el subtipus de paquet ICMP.
  • ICMP Message: És el paquet sencer, incloent la capçalera i les dades.

Tipus de missatges

Hi han 3 tipus de missatges:

  • Relacionats amb el ping (Replay i Request). Ping-Pong. Controlar l'estat de la màquina (viva o no).
  • Paquet destinació unreacheable: HI han diferents raons per la qual una xarxa no està disponible.
  • Paquets relacionats amb el Time To Live. S'ha excedit per temps de vida del paquet (salts).

Taula classificació tipus ICMP.

Type Code Description
0 – Echo Reply<ref name=rfc792/>Plantilla:Rp 0 Echo reply (used to ping)
1 and 2 Reserved
3 – Destination Unreachable<ref name=rfc792/>Plantilla:Rp 0 Destination network unreachable
1 Destination host unreachable
2 Destination protocol unreachable
3 Destination port unreachable
4 Fragmentation required, and DF flag set
5 Source route failed
6 Destination network unknown
7 Destination host unknown
8 Source host isolated
9 Network administratively prohibited
10 Host administratively prohibited
11 Network unreachable for TOS
12 Host unreachable for TOS
13 Communication administratively prohibited
14 Host Precedence Violation
15 Precedence cutoff in effect
4 – Source Quench 0 Source quench (congestion control)
5 – Redirect Message 0 Redirect Datagram for the Network
1 Redirect Datagram for the Host
2 Redirect Datagram for the TOS & network
3 Redirect Datagram for the TOS & host
6 Alternate Host Address
7 Reserved
8 – Echo Request 0 Echo request (used to ping)
9 – Router Advertisement 0 Router Advertisement
10 – Router Solicitation 0 Router discovery/selection/solicitation
11 – Time Exceeded<ref name=rfc792/>Plantilla:Rp 0 TTL expired in transit
1 Fragment reassembly time exceeded
12 – Parameter Problem: Bad IP header 0 Pointer indicates the error
1 Missing a required option
2 Bad length
13 – Timestamp 0 Timestamp
14 – Timestamp Reply 0 Timestamp reply
15 – Information Request 0 Information Request
16 – Information Reply 0 Information Reply
17 – Address Mask Request 0 Address Mask Request
18 – Address Mask Reply 0 Address Mask Reply
19 Reserved for security
20 through 29 Reserved for robustness experiment
30 – Traceroute 0 Information Request
31 Datagram Conversion Error
32 Mobile Host Redirect
33 Where-Are-You (originally meant for IPv6)
34 Here-I-Am (originally meant for IPv6)
35 Mobile Registration Request
36 Mobile Registration Reply
37 Domain Name Request
38 Domain Name Reply
39 SKIP Algorithm Discovery Protocol, Simple Key-Management for Internet Protocol
40 Photuris, Security failures
41 ICMP for experimental mobility protocols such as Seamoby [RFC4065]
42 through 255 Reserved

Amb iptables podem enviar els paquet ICMP que vulguem.

echo Replay-echo Request

Podem veure la sequència del ping (9) i entre altres dades el checksum que comrpova que ha arribat correctament.

Podem comprovar com envia el ping tipus 8. Request

ICMP.png

I com ariba tipus 0. Reply

ICMP1.png

Destination Unreachable

Podria ser que el ping arribi a algun lloc o a cap lloc si no et contesta (ping 8.8.8.7). Algú pel camí ha el·liminat el paquet i no t'ha contestat. DROP( arriba paquet però es perd(algú s'el menja) ningu contesta).

El gateway (192.168.203.1) ens indica que no pot arribar a la màquina( el router ens ha contestat).


Aqui per exemple fem ping a una màquina que no podem arribar per tant enviem paquet d'anda, però no ens torna cap. Per tant només podem enviar el request (tipus 8).

ICMP2.png

Aqui rebem resposta del router i ens ha dit que no ha arribat al destí. Aqui podem veure que és tipus 3(destination unraechable). Amb subtipus 1 (host unreachable)

ICMP3.png

IPTABLES

Ara anirem afegint regles al nostre IPTABLES per denegar o rejectar els pings enviant diferents missatges d'error.

Primerament mostrarem les regles que tenim configurades en la nostra Iptables per després anar afegint i traient regles sense conflictes.

# ufw enable
El cortafuegos está activo y habilitado en el arranque del sistema
[email protected]:/home/manel/Programació/PHP/Projecte# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ufw-before-logging-input  all  --  anywhere             anywhere            
ufw-before-input  all  --  anywhere             anywhere            
ufw-after-input  all  --  anywhere             anywhere            
ufw-after-logging-input  all  --  anywhere             anywhere            
ufw-reject-input  all  --  anywhere             anywhere            
ufw-track-input  all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ufw-before-logging-forward  all  --  anywhere             anywhere            
ufw-before-forward  all  --  anywhere             anywhere            
ufw-after-forward  all  --  anywhere             anywhere            
ufw-after-logging-forward  all  --  anywhere             anywhere            
ufw-reject-forward  all  --  anywhere             anywhere            
ufw-track-forward  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ufw-before-logging-output  all  --  anywhere             anywhere            
ufw-before-output  all  --  anywhere             anywhere            
ufw-after-output  all  --  anywhere             anywhere            
ufw-after-logging-output  all  --  anywhere             anywhere            
ufw-reject-output  all  --  anywhere             anywhere            
ufw-track-output  all  --  anywhere             anywhere            

Chain ufw-after-forward (1 references)
target     prot opt source               destination         

Chain ufw-after-input (1 references)
target     prot opt source               destination         
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-ns
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-dgm
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootps
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootpc
ufw-skip-to-policy-input  all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-after-output (1 references)
target     prot opt source               destination         

Chain ufw-before-forward (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp source-quench
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ufw-user-forward  all  --  anywhere             anywhere            

Chain ufw-before-input (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ufw-logging-deny  all  --  anywhere             anywhere             ctstate INVALID
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp source-quench
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
ufw-not-local  all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             224.0.0.251          udp dpt:mdns
ACCEPT     udp  --  anywhere             239.255.255.250      udp dpt:1900
ufw-user-input  all  --  anywhere             anywhere            

Chain ufw-before-logging-forward (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-input (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-before-output (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ufw-user-output  all  --  anywhere             anywhere            

Chain ufw-logging-allow (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             ctstate INVALID limit: avg 3/min burst 10
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
ufw-logging-deny  all  --  anywhere             anywhere             limit: avg 3/min burst 10
DROP       all  --  anywhere             anywhere            

Chain ufw-reject-forward (1 references)
target     prot opt source               destination         

Chain ufw-reject-input (1 references)
target     prot opt source               destination         

Chain ufw-reject-output (1 references)
target     prot opt source               destination         

Chain ufw-skip-to-policy-forward (0 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain ufw-skip-to-policy-input (7 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain ufw-skip-to-policy-output (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain ufw-track-forward (1 references)
target     prot opt source               destination         

Chain ufw-track-input (1 references)
target     prot opt source               destination         

Chain ufw-track-output (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW

Chain ufw-user-forward (1 references)
target     prot opt source               destination         

Chain ufw-user-input (1 references)
target     prot opt source               destination         

Chain ufw-user-limit (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain ufw-user-logging-forward (0 references)
target     prot opt source               destination         

Chain ufw-user-logging-input (0 references)
target     prot opt source               destination         

Chain ufw-user-logging-output (0 references)
target     prot opt source               destination         

Chain ufw-user-output (1 references)
target     prot opt source               destination         
[email protected]:/home/manel/Programació/PHP/Projecte# 

Primerament ens farem un IP aliasing per afegir una nova IP en la nostra màquina.

# ifconfig eth0:1 192.168.202.248
[email protected]:/home/manel# ifconfig
eth0      Link encap:Ethernet  direcciónHW ec:b1:d7:55:d3:67  
          Direc. inet:192.168.202.247  Difus.:192.168.202.255  Másc:255.255.255.0
          Dirección inet6: fe80::eeb1:d7ff:fe55:d367/64 Alcance:Enlace
          ACTIVO DIFUSIÓN FUNCIONANDO MULTICAST  MTU:1500  Métrica:1
          Paquetes RX:47868 errores:0 perdidos:0 overruns:0 frame:0
          Paquetes TX:20144 errores:0 perdidos:0 overruns:0 carrier:0
          colisiones:0 long.colaTX:1000 
          Bytes RX:22228485 (22.2 MB)  TX bytes:3329632 (3.3 MB)
          Interrupción:20 Memoria:f7c00000-f7c20000 

eth0:1    Link encap:Ethernet  direcciónHW ec:b1:d7:55:d3:67  
          Direc. inet:192.168.202.248  Difus.:192.168.202.255  Másc:255.255.255.0
          ACTIVO DIFUSIÓN FUNCIONANDO MULTICAST  MTU:1500  Métrica:1
          Interrupción:20 Memoria:f7c00000-f7c20000 

lo        Link encap:Bucle local  
          Direc. inet:127.0.0.1  Másc:255.0.0.0
          Dirección inet6: ::1/128 Alcance:Anfitrión
          ACTIVO BUCLE FUNCIONANDO  MTU:65536  Métrica:1
          Paquetes RX:1986 errores:0 perdidos:0 overruns:0 frame:0
          Paquetes TX:1986 errores:0 perdidos:0 overruns:0 carrier:0
          colisiones:0 long.colaTX:0 
          Bytes RX:528502 (528.5 KB)  TX bytes:528502 (528.5 KB)

Ping MTU i fragmentació

<falta captures>

La carpeta /prox està en la RAM. AQui podem modificar les diferents opcions de l'ICMP. Com pot ser el

  1. echo 200 > /proc/sys/net/ipv4/icmp_ratelimit

[email protected]:/home/manel#

Ping i multicast o broadcast

El multicsat podem fer-ho a grups i el broadcast a tothom.

# echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
[email protected]:/home/manel# 

Ara ens tendrien que contestar els ping de broadcast.

Fem un ping i veiem qui ens contesta.

# ping -b 192.168.202.255
WARNING: pinging broadcast address
PING 192.168.202.255 (192.168.202.255) 56(84) bytes of data.
64 bytes from 192.168.202.247: icmp_seq=1 ttl=64 time=0.021 ms
64 bytes from 192.168.202.247: icmp_seq=1 ttl=64 time=0.241 ms (DUP!)
64 bytes from 192.168.202.247: icmp_seq=1 ttl=64 time=0.481 ms (DUP!)
64 bytes from 192.168.202.247: icmp_seq=1 ttl=64 time=0.489 ms (DUP!)
64 bytes from 192.168.202.247: icmp_seq=1 ttl=64 time=33.2 ms (DUP!)
64 bytes from 192.168.202.247: icmp_seq=2 ttl=64 time=0.028 ms
# ping -i 0 -s 1450 -b 192.168.202.255

Aixi ignorarem tots els paquets de ping que rebesim.

# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

AQui farem un flooding a la web, els . són els pings pendent de resposta.

# sudo ping -f www.uoc.edu
PING www-orgf5.uoc.edu (213.73.40.242) 56(84) bytes of data.
..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Per exemple el màxim que podriem fer seria enviar amb -f (flooding) paquets de la màxima cantitat (-s 65507).


Ping com a traceroute

Amb -nR podem fer servir el ping com a traceroute.

Dins el ping el ttl no significa Time to live.

Amb -t podem indicar-li el temps de vida del paquet TTL. Per exemple aqui fem un tracroute i si

Augmentat el tamany dels paquets i la velocitat d'enviament podem arribar a consumir molt d'ample de banda.

En aquest cas 2 MB.

  1. ping -i 0.000005 -s 23500 8.8.8.8

PING 8.8.8.8 (8.8.8.8) 23500(23528) bytes of data. 23508 bytes from 8.8.8.8: icmp_seq=1 ttl=55 time=13.8 ms 23508 bytes from 8.8.8.8: icmp_seq=2 ttl=55 time=13.5 ms 23508 bytes from 8.8.8.8: icmp_seq=3 ttl=55 time=13.8 ms 23508 bytes from 8.8.8.8: icmp_seq=4 ttl=55 time=13.7 ms 23508 bytes from 8.8.8.8: icmp_seq=5 ttl=55 time=13.6 ms 23508 bytes from 8.8.8.8: icmp_seq=6 ttl=55 time=13.8 ms 23508 bytes from 8.8.8.8: icmp_seq=7 ttl=55 time=14.1 ms 23508 bytes from 8.8.8.8: icmp_seq=8 ttl=55 time=13.8 ms 23508 bytes from 8.8.8.8: icmp_seq=9 ttl=55 time=14.0 ms 23508 bytes from 8.8.8.8: icmp_seq=10 ttl=55 time=13.6 ms 23508 bytes from 8.8.8.8: icmp_seq=11 ttl=55 time=13.5 ms 23508 bytes from 8.8.8.8: icmp_seq=12 ttl=55 time=13.7 ms

Aqui podem veure que per exemple el primer salt el fem al router per tant ens contestarà el router si només li donem 1 salt.

# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  192.168.202.1 (192.168.202.1)  0.158 ms  0.138 ms  0.230 ms
 2  185-13-76-129-ipv4.ebretic.com (185.13.76.129)  3.532 ms  3.556 ms  3.553 ms
 3  212.74.67.117 (212.74.67.117)  4.851 ms  5.527 ms  5.592 ms
 4  xe0-0-2-pr3.MAD.router.colt.net (212.74.86.149)  12.466 ms  12.430 ms  12.436 ms
 5  72.14.219.70 (72.14.219.70)  12.429 ms  12.427 ms  12.425 ms
 6  72.14.232.191 (72.14.232.191)  12.628 ms  12.385 ms 72.14.234.37 (72.14.234.37)  13.059 ms
 7  216.239.48.245 (216.239.48.245)  12.376 ms 216.239.50.87 (216.239.50.87)  12.658 ms 216.239.49.81 (216.239.49.81)  12.819 ms
 8  google-public-dns-a.google.com (8.8.8.8)  12.449 ms  12.079 ms  11.924 ms
[email protected]:/home/manel# ping -t 1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 192.168.202.1 icmp_seq=1 Time to live exceeded
From 192.168.202.1 icmp_seq=2 Time to live exceeded
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 999ms

Casos pràctics ICMP Unreachable

  • En el primer cas li indicarem que ens doni l'error de Destination Net Unreachable al fer la petició al host 8.8.8.8 per tant ens sortirà l'error i no enviarà cap petició, ens intentarà enviar la primera petició però cada cop que ho envia es denegarà i ho tornarà a enviar de forma que enviarà molts de ping seguits sense demora.
# iptables -A OUTPUT -d 8.8.8.8 -j REJECT --reject-with icmp-net-unreachable
[email protected]:/home/manel# ping 8.8.8.8 -c 4
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 192.168.202.247 icmp_seq=1 Destination Net Unreachable
From 192.168.202.247 icmp_seq=1 Destination Net Unreachable
From 192.168.202.247 icmp_seq=1 Destination Net Unreachable
From 192.168.202.247 icmp_seq=1 Destination Net Unreachable

--- 8.8.8.8 ping statistics ---
0 packets transmitted, 0 received, +4 errors
  • Ara passarem a fer-ho amb el company ja que utilitzarem normes de INPUT per veure el paquet en el wireshark.

PC1(Manel): 192.168.202.247 PC2(Alex): 192.168.202.219

El company ha definit la regla en el seu IPTABLES.


Un cop definida la regla li farem un ping i ens donarà la següent resposta:

# ping 192.168.202.219 -c 4
PING 192.168.202.219 (192.168.202.219) 56(84) bytes of data.
From 192.168.202.219 icmp_seq=1 Destination Host Unreachable
From 192.168.202.219 icmp_seq=2 Destination Host Unreachable
From 192.168.202.219 icmp_seq=3 Destination Host Unreachable
From 192.168.202.219 icmp_seq=4 Destination Host Unreachable

Capturant el paquet amb el wireshark podem comprovar que és un ping de tipus unreachable i de subtipus host. 1 Per tant enviem el ping i la seva màquina ens contesta amb un missatge d'error.

Ping desti host.png
  • Ara passarem a ser nosaltres el receptor i ell l'origen per tant afegirem nosaltres la regla.
# iptables -A INPUT -s 192.168.202.219/24 -j REJECT --reject-with icmp-net-unreachable

Ens fa ping i aqui tenim capturem el paquet i veiem com li contestem amb el missatge d'error corresponent. 0

ICMP5.png
  • Tornarem a ser l'origen i li farem ping al company de forma que ens mostrarà el missatge d'error. El nostre company crearà la regla per denegar el protocol ICMP i ens sortirà l'error corresponent. 2

Aqui podem veure el missatge

# ping 192.168.202.219 -c4
PING 192.168.202.219 (192.168.202.219) 56(84) bytes of data.
From 192.168.202.219 icmp_seq=1 Destination Protocol Unreachable
From 192.168.202.219 icmp_seq=2 Destination Protocol Unreachable
From 192.168.202.219 icmp_seq=3 Destination Protocol Unreachable
From 192.168.202.219 icmp_seq=4 Destination Protocol Unreachable

--- 192.168.202.219 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3003ms

Aqui veiem la resposta amb el codi correcte desde el wireshark.

ICMP8.png
  • Aqui tenim la resposta 3-3 indicant-mos error del port.
# ping 192.168.202.219
PING 192.168.202.219 (192.168.202.219) 56(84) bytes of data.
From 192.168.202.219 icmp_seq=1 Destination Port Unreachable
From 192.168.202.219 icmp_seq=2 Destination Port Unreachable
From 192.168.202.219 icmp_seq=3 Destination Port Unreachable
From 192.168.202.219 icmp_seq=4 Destination Port Unreachable
From 192.168.202.219 icmp_seq=5 Destination Port Unreachable
From 192.168.202.219 icmp_seq=6 Destination Port Unreachable

I desde aqui tenim el paquet amb el codi desde el wireshark.

ICMP6.png

Vegeu també