Women at work

I have a PhD in electrical engineering and have been teaching and doing programming and IT for ... too many years. (specializing in networks and security) I am not going to disclose my age! I am one of very few women of my age who STAYED in the field, since it is super competitive macho field. But here I am! I use my engineering skills for everything I do. In this blog, I will share anything from technical to social comments on technology.

Tuesday, May 30, 2017

ping before you scan



ICMP



ICMP protocol is used for control and inquiry messages.
ICMP protocol is used for many different kinds of messages, as is seen in its header.
ping messages can come in many flavors, for example they can be UDP or TCP packets, but most often, ping packets are ICMP echo request and echo reply messages.
Other common ICMP messages include source quench (buffers getting full), TTL exceeded (traceroute uses this), host unreachable, etc.

ping is the most notorious type of ICMP message, as it is used as a precursor for attack. Hackers will ping selected range of computers first, to find out which computers are “live.” The next step is to scan the “live” computers. Therefore, pings are often prohibited by farewalls, so do not be surprised if your ping request times out because the receiver is “unreachable.” It could be unreachable because it does not exist, or because it is down, or because it is behind a firewall that rejects pings.
How does ping work? The sender issues ICMP echo request message, and the receiver replies with ICMP echo response message. 

Another type of ICMP message is traceroute. It uses the fact that network layer does some garbage removal: routers decrement TTL and network layer removes messages with TTL=0.
This feature is because network layer tries to prevent packets from floating around the network forever without ever getting to the destination (the flying Dutchman syndrome); it tries to prevent packets from flooding the network and overflowing receiving queues.
Network layer garbage removal:
1.    When the network gets congested and a router queue gets full, that router will drop packets. It will inform the sender of those packets that it has junked the packets.
2. Whenever a packet gets to a router, its time-to-live (TTL) is decremented. If TTL==0, the packet gets junked by the router.

Issue: how will the router inform the sending party that it is dropping packets?
Solution: Router will send ICMP source quench message.

Review: how does this fit in with TCP windowing? Remember TCP congestion control? When the network gets clogged and packets get dropped, TCP starts its congestion control protocol: timers will be prolonged, sender window size will shrink.

How does traceroute work? Sender sends a message with TTL=1. (This is not a special message, it does not have to use any special protocol). The first router will decrement TTL, drop the packet, and send back ICMP source quench message. Then the sender sends a message with TTL=2. This message will make it to the second router on the path. And so on, until the final destination is reached.
traceroute usually sends many messages with one value of TTL. Why? Because Internet is packet switched and there are many ways to get from one location to another. Sending many messages gives a greater confidence that all possible paths will be found. It is typical to send 3 or 5 messages with the same TTL.
Hackers usually do not attack routers on the way to their victim, because they need routers to be able to “retract.”





posted by HumanRemodeling @ 7:42 PM

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home