网站首页 > 资源文章 正文
ICMP协议
Common header
0 1 2 4
0 1 2 3 4 5 6 7 8 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 0 1 2 3 4
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Code | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| unused |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Internet Header + 64 bits of Original Data Datagram |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ICMPV4
Type:
#ifndef ICMP_ECHOREPLY
#define ICMP_ECHOREPLY 0 /* Echo Reply */
#endif
#ifndef ICMP_DEST_UNREACH
#define ICMP_DEST_UNREACH 3 /* Destination Unreachable */
#endif
#ifndef ICMP_SOURCE_QUENCH
#define ICMP_SOURCE_QUENCH 4 /* Source Quench */
#endif
#ifndef ICMP_REDIRECT
#define ICMP_REDIRECT 5 /* Redirect (change route) */
#endif
#ifndef ICMP_ECHO
#define ICMP_ECHO 8 /* Echo Request */
#endif
#ifndef ICMP_ROUTERADVERT
#define ICMP_ROUTERADVERT 9
#endif
#ifndef ICMP_ROUTERSOLICIT
#define ICMP_ROUTERSOLICIT 10
#endif
#ifndef ICMP_TIME_EXCEEDED
#define ICMP_TIME_EXCEEDED 11 /* Time Exceeded */
#endif
#ifndef ICMP_PARAMETERPROB
#define ICMP_PARAMETERPROB 12 /* Parameter Problem */
#endif
#ifndef ICMP_TIMESTAMP
#define ICMP_TIMESTAMP 13 /* Timestamp Request */
#endif
#ifndef ICMP_TIMESTAMPREPLY
#define ICMP_TIMESTAMPREPLY 14 /* Timestamp Reply */
#endif
#ifndef ICMP_INFO_REQUEST
#define ICMP_INFO_REQUEST 15 /* Information Request */
#endif
#ifndef ICMP_INFO_REPLY
#define ICMP_INFO_REPLY 16 /* Information Reply */
#endif
#ifndef ICMP_ADDRESS
#define ICMP_ADDRESS 17 /* Address Mask Request */
#endif
#ifndef ICMP_ADDRESSREPLY
#define ICMP_ADDRESSREPLY 18 /* Address Mask Reply */
#endif
#ifndef NR_ICMP_TYPES
#define NR_ICMP_TYPES 18
#endif
Code:
/* Codes for Type3 UNREACH. */
#ifndef ICMP_NET_UNREACH
#define ICMP_NET_UNREACH 0 /* Network Unreachable */
#endif
#ifndef ICMP_HOST_UNREACH
#define ICMP_HOST_UNREACH 1 /* Host Unreachable */
#endif
#ifndef ICMP_PROT_UNREACH
#define ICMP_PROT_UNREACH 2 /* Protocol Unreachable */
#endif
#ifndef ICMP_PORT_UNREACH
#define ICMP_PORT_UNREACH 3 /* Port Unreachable */
#endif
#ifndef ICMP_FRAG_NEEDED
#define ICMP_FRAG_NEEDED 4 /* Fragmentation Needed/DF set */
#endif
#ifndef ICMP_SR_FAILED
#define ICMP_SR_FAILED 5 /* Source Route failed */
#endif
#ifndef ICMP_NET_UNKNOWN
#define ICMP_NET_UNKNOWN 6
#endif
#ifndef ICMP_HOST_UNKNOWN
#define ICMP_HOST_UNKNOWN 7
#endif
#ifndef ICMP_HOST_ISOLATED
#define ICMP_HOST_ISOLATED 8
#endif
#ifndef ICMP_NET_ANO
#define ICMP_NET_ANO 9
#endif
#ifndef ICMP_HOST_ANO
#define ICMP_HOST_ANO 10
#endif
#ifndef ICMP_NET_UNR_TOS
#define ICMP_NET_UNR_TOS 11
#endif
#ifndef ICMP_HOST_UNR_TOS
#define ICMP_HOST_UNR_TOS 12
#endif
#ifndef ICMP_PKT_FILTERED
#define ICMP_PKT_FILTERED 13 /* Packet filtered */
#endif
#ifndef ICMP_PREC_VIOLATION
#define ICMP_PREC_VIOLATION 14 /* Precedence violation */
#endif
#ifndef ICMP_PREC_CUTOFF
#define ICMP_PREC_CUTOFF 15 /* Precedence cut off */
#endif
#ifndef NR_ICMP_UNREACH
#define NR_ICMP_UNREACH 15 /* instead of hardcoding immediate value */
#endif
/* Codes for Type5 REDIRECT. */
#ifndef ICMP_REDIR_NET
#define ICMP_REDIR_NET 0 /* Redirect Net */
#endif
#ifndef ICMP_REDIR_HOST
#define ICMP_REDIR_HOST 1 /* Redirect Host */
#endif
#ifndef ICMP_REDIR_NETTOS
#define ICMP_REDIR_NETTOS 2 /* Redirect Net for TOS */
#endif
#ifndef ICMP_REDIR_HOSTTOS
#define ICMP_REDIR_HOSTTOS 3 /* Redirect Host for TOS */
#endif
/* Codes for Type11 TIME_EXCEEDED. */
#ifndef ICMP_EXC_TTL
#define ICMP_EXC_TTL 0 /* TTL count exceeded */
#endif
#ifndef ICMP_EXC_FRAGTIME
#define ICMP_EXC_FRAGTIME 1 /* Fragment Reass time exceeded */
#endifICMPV6
Type:
/** Error Messages: (type <128) */
#define ICMP6_DST_UNREACH 1
#define ICMP6_PACKET_TOO_BIG 2
#define ICMP6_TIME_EXCEEDED 3
#define ICMP6_PARAM_PROB 4
/** Informational Messages (type>=128) */
#define ICMP6_ECHO_REQUEST 128
#define ICMP6_ECHO_REPLY 129
#define MLD_LISTENER_QUERY 130
#define MLD_LISTENER_REPORT 131
#define MLD_LISTENER_REDUCTION 132
#define ND_ROUTER_SOLICIT 133
#define ND_ROUTER_ADVERT 134
#define ND_NEIGHBOR_SOLICIT 135
#define ND_NEIGHBOR_ADVERT 136
#define ND_REDIRECT 137
#define ICMP6_RR 138
#define ICMP6_NI_QUERY 139
#define ICMP6_NI_REPLY 140
#define ND_INVERSE_SOLICIT 141
#define ND_INVERSE_ADVERT 142
#define MLD_V2_LIST_REPORT 143
#define HOME_AGENT_AD_REQUEST 144
#define HOME_AGENT_AD_REPLY 145
#define MOBILE_PREFIX_SOLICIT 146
#define MOBILE_PREFIX_ADVERT 147
#define CERT_PATH_SOLICIT 148
#define CERT_PATH_ADVERT 149
#define ICMP6_MOBILE_EXPERIMENTAL 150
#define MC_ROUTER_ADVERT 151
#define MC_ROUTER_SOLICIT 152
#define MC_ROUTER_TERMINATE 153
#define FMIPV6_MSG 154
#define RPL_CONTROL_MSG 155
#define LOCATOR_UDATE_MSG 156
#define DUPL_ADDR_REQUEST 157
#define DUPL_ADDR_CONFIRM 158
#define MPL_CONTROL_MSG 159
Code:
/** Destination Unreachable Message (type=1) Code: */
#define ICMP6_DST_UNREACH_NOROUTE 0 /* no route to destination */
#define ICMP6_DST_UNREACH_ADMIN 1 /* communication with destination */
/* administratively prohibited */
#define ICMP6_DST_UNREACH_BEYONDSCOPE 2 /* beyond scope of source address */
#define ICMP6_DST_UNREACH_ADDR 3 /* address unreachable */
#define ICMP6_DST_UNREACH_NOPORT 4 /* bad port */
#define ICMP6_DST_UNREACH_FAILEDPOLICY 5 /* Source address failed ingress/egress policy */
#define ICMP6_DST_UNREACH_REJECTROUTE 6 /* Reject route to destination */
/** Time Exceeded Message (type=3) Code: */
#define ICMP6_TIME_EXCEED_TRANSIT 0 /* Hop Limit == 0 in transit */
#define ICMP6_TIME_EXCEED_REASSEMBLY 1 /* Reassembly time out */
/** Parameter Problem Message (type=4) Code: */
#define ICMP6_PARAMPROB_HEADER 0 /* erroneous header field */
#define ICMP6_PARAMPROB_NEXTHEADER 1 /* unrecognized Next Header */
#define ICMP6_PARAMPROB_OPTION 2 /* unrecognized IPv6 option */ICMP内嵌
- 对于ICMPv4来说,当type为3--ICMP_DEST_UNREACH,4--ICMP_SOURCE_QUENCH,5--ICMP_REDIRECT,11--ICMP_TIME_EXCEEDED,12--ICMP_PARAMETERPROB时,
ICMPv4可以内嵌IPv4+UDP/TCP/ICMPv4,来指示导致差错产生的原始报文IP,TCP/UDP头信息 - 同理,对于ICMPv6来说,当type为1--ICMP6_DST_UNREACH,2--ICMP6_PACKET_TOO_BIG,3--ICMP6_TIME_EXCEEDED,4--ICMP6_PARAM_PROB时,也可以内嵌IPv6+UDP/TCP/ICMPv6,来指示导致差错产生的原始头部信息
ICMP攻击
- ICMPv6 Flood
alert icmp any any -> any any (msg:"ET DOS Microsoft Windows 7 ICMPv6 Router Advertisement Flood"; itype:134; icode:0; content:"|03|"; threshold:type threshold, track by_src, count 10, seconds 1; reference:url,http://www.samsclass.info/ipv6/proj/proj8x-124-flood-router.htm; classtype:attempted-dos; sid:2014996; )
- ICMP Smurf Scan
Smurf方式把源IP设置为受害者IP,然后向多台服务器发送ICMP报文(通常是ECHO请求),这些接收报文的服务器被报文欺骗,向受害者返回ECHO应答(Type=0),导致垃圾阻塞受害者的门口
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Broadscan Smurf Scanner"; dsize:4; icmp_id:0; icmp_seq:0; itype:8; classtype:attempted-recon; sid:2100478; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
- ICMP Invalid checksum
alert icmp any any -> any any (msg:"SURICATA ICMPv4 invalid checksum"; icmpv4-csum:invalid; classtype:protocol-command-decode; sid:2200076; rev:2;)
alert icmp any any -> any any (msg:"SURICATA ICMPv6 invalid checksum"; icmpv6-csum:invalid; classtype:protocol-command-decode; sid:2200079; rev:2;)
- ICMP Redirct
利用这点可以进行攻击和网络窃听。如果目某主机A支持ICMP重定向,那么主机B发一个IMCP重定向给它,以后它发出的所有到指定地址的报文都会转发主机B,这样B就可以达到窃听目的了或者该主机按照黑客的要求来修改路由表。
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Redirect for TOS and Host"; icode:3; itype:5; classtype:misc-activity; sid:2100436; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
Suricata涉及到匹配的Option
- itype:[<|>|<>]<number>;
Example This example looks for an ICMP type greater than 10: itype:>10;
2. icode:[<|>|<>]<number>;
Example: This example looks for an ICMP code greater than 5: icode:>5;
3. icmp_id:<number>;
Example: This example looks for an ICMP ID of 0: icmp_id:0;
4. icmp_seq:<number>;
Example: This example looks for an ICMP Sequence of 0: icmp_seq:0;
5. icmpv6-csum:<valid/invalid>;
6. icmpv4-csum:<valid/invalid>;
Reference
完全理解ICMP协议
RFC792
rfc4443
RFC6633
RFC1256
RFC6918
RFC2521
RFC4065
RFC8335
RFC4727
猜你喜欢
- 2024-09-11 pytbull-入侵检测/预防系统(IDS / IPS)测试框架
- 2024-09-11 Windows系统的入侵排查——基础技术原理
- 2024-09-11 网络入侵检测系统之Suricata(三)--日志代码详解
- 2024-09-11 一套详细的弱电工程入侵报警系统设计方案
- 2024-09-11 应急响应:Linux系统入侵排查示例(linux入侵检测系统)
- 2024-09-11 网站入侵检测系统的优点是什么(网络入侵检测系统的优点)
- 2024-09-11 海水入侵在线监测系统——爱默里地下水原位自动监测仪
- 2024-09-11 一套详细的入侵报警系统技术要求,可作招标要求
- 2024-09-11 入侵防御系统IPS(入侵防御系统IPS部署)
- 2024-09-11 入侵检测原型系统的设计与实现(入侵检测的原理)
欢迎 你 发表评论:
- 最近发表
- 标签列表
-
- 电脑显示器花屏 (79)
- 403 forbidden (65)
- linux怎么查看系统版本 (54)
- 补码运算 (63)
- 缓存服务器 (61)
- 定时重启 (59)
- plsql developer (73)
- 对话框打开时命令无法执行 (61)
- excel数据透视表 (72)
- oracle认证 (56)
- 网页不能复制 (84)
- photoshop外挂滤镜 (58)
- 网页无法复制粘贴 (55)
- vmware workstation 7 1 3 (78)
- jdk 64位下载 (65)
- phpstudy 2013 (66)
- 卡通形象生成 (55)
- psd模板免费下载 (67)
- shift (58)
- localhost打不开 (58)
- 检测代理服务器设置 (55)
- frequency (66)
- indesign教程 (55)
- 运行命令大全 (61)
- ping exe (64)
本文暂时没有评论,来添加一个吧(●'◡'●)