1
00:00:00,000 --> 00:00:00,900
In this lesson,

2
00:00:00,900 --> 00:00:03,870
we're going to explore the Internet Control Message Protocol.

3
00:00:03,870 --> 00:00:05,850
The Internet Control Message Protocol,

4
00:00:05,850 --> 00:00:07,800
more commonly known as ICMP,

5
00:00:07,800 --> 00:00:10,350
is an integral part of the Internet Protocol Suite,

6
00:00:10,350 --> 00:00:11,970
which is a set of networking protocols

7
00:00:11,970 --> 00:00:13,590
that are used on the internet.

8
00:00:13,590 --> 00:00:14,730
Unlike TCP,

9
00:00:14,730 --> 00:00:16,950
which is known as the Transmission Control Protocol,

10
00:00:16,950 --> 00:00:20,220
and UDP, which is known as the User Datagram Protocol,

11
00:00:20,220 --> 00:00:22,320
ICMP is not used for sending data

12
00:00:22,320 --> 00:00:24,150
between two different systems.

13
00:00:24,150 --> 00:00:27,900
Instead, ICMP is considered to be a network layer protocol

14
00:00:27,900 --> 00:00:28,830
that's primarily used

15
00:00:28,830 --> 00:00:30,990
for diagnosing network communication issues

16
00:00:30,990 --> 00:00:34,500
and providing hosts with information about network problems.

17
00:00:34,500 --> 00:00:38,280
ICMP is going to operate at the network layer of the OSI model,

18
00:00:38,280 --> 00:00:40,560
and this means it's going to be encapsulated within the IP

19
00:00:40,560 --> 00:00:42,960
or internet protocol packets as well.

20
00:00:42,960 --> 00:00:45,180
This makes ICMP an essential tool

21
00:00:45,180 --> 00:00:47,220
for error reporting and testing.

22
00:00:47,220 --> 00:00:50,280
Now, ICMP messages are used for various purposes,

23
00:00:50,280 --> 00:00:52,830
such as indicating when a service or host is unreachable,

24
00:00:52,830 --> 00:00:54,870
when a packet's time to live has expired,

25
00:00:54,870 --> 00:00:56,760
or when the router cannot forward packets

26
00:00:56,760 --> 00:00:58,890
due to its buffer being filled up.

27
00:00:58,890 --> 00:01:00,240
Most people are going to be familiar

28
00:01:00,240 --> 00:01:02,070
with the PING command utility.

29
00:01:02,070 --> 00:01:04,170
Now, the PING utility uses ICMP

30
00:01:04,170 --> 00:01:06,690
to send an ICMP Echo Request message

31
00:01:06,690 --> 00:01:10,170
to test the reachability of a host on a given IP network.

32
00:01:10,170 --> 00:01:11,190
The receiving host,

33
00:01:11,190 --> 00:01:13,200
if they're available and functioning properly,

34
00:01:13,200 --> 00:01:16,380
will then respond with an ICMP Echo reply.

35
00:01:16,380 --> 00:01:19,260
This utility is widely used to check network connectivity

36
00:01:19,260 --> 00:01:20,880
and it measures the roundtrip time,

37
00:01:20,880 --> 00:01:24,030
which we call latency of your network connection.

38
00:01:24,030 --> 00:01:26,430
ICMP messages have a simple structure,

39
00:01:26,430 --> 00:01:28,680
and each message starts with a header consisting

40
00:01:28,680 --> 00:01:30,330
of three different things.

41
00:01:30,330 --> 00:01:31,650
First, we have the Type,

42
00:01:31,650 --> 00:01:33,330
which is a one byte long field

43
00:01:33,330 --> 00:01:36,750
that indicates the type of ICMP message being transmitted.

44
00:01:36,750 --> 00:01:38,370
Second, we have the Code,

45
00:01:38,370 --> 00:01:40,080
which is a one byte long field

46
00:01:40,080 --> 00:01:43,050
that provides additional context about the message type.

47
00:01:43,050 --> 00:01:44,730
Third, we have the Checksum,

48
00:01:44,730 --> 00:01:46,380
which is a two-byte long field

49
00:01:46,380 --> 00:01:47,640
that's going to be used for error checking

50
00:01:47,640 --> 00:01:49,590
the message header and data.

51
00:01:49,590 --> 00:01:50,670
Now, after that header,

52
00:01:50,670 --> 00:01:53,190
the ICMP message will contain different data based

53
00:01:53,190 --> 00:01:54,780
on the type and code of the message

54
00:01:54,780 --> 00:01:56,220
that's being transmitted.

55
00:01:56,220 --> 00:01:59,490
For example, in the case of an Echo Request and Echo Reply,

56
00:01:59,490 --> 00:02:01,380
the data section will include an identifier

57
00:02:01,380 --> 00:02:02,490
and a sequence number

58
00:02:02,490 --> 00:02:04,290
to match the replies with the requests,

59
00:02:04,290 --> 00:02:05,610
as well as some optional data

60
00:02:05,610 --> 00:02:07,800
that's being included in the reply.

61
00:02:07,800 --> 00:02:08,669
It's important to note

62
00:02:08,669 --> 00:02:11,790
that ICMP does not have any of the reliability mechanisms

63
00:02:11,790 --> 00:02:15,450
that are used in the Transmission Control Protocol or TCP.

64
00:02:15,450 --> 00:02:17,160
This means, there is no guarantee

65
00:02:17,160 --> 00:02:18,570
of the message being delivered,

66
00:02:18,570 --> 00:02:19,980
no ordering of the data,

67
00:02:19,980 --> 00:02:24,360
and no error correction capabilities at all inside of ICMP.

68
00:02:24,360 --> 00:02:27,660
Instead, ICMP is designed for speed and simplicity,

69
00:02:27,660 --> 00:02:30,180
not for data integrity or security.

70
00:02:30,180 --> 00:02:32,460
As a result, ICMP is typically used

71
00:02:32,460 --> 00:02:34,530
for error handling and diagnostics,

72
00:02:34,530 --> 00:02:35,910
rather than transmitting any kind

73
00:02:35,910 --> 00:02:38,310
of regular user data over the network.

74
00:02:38,310 --> 00:02:39,990
Now, unfortunately, over the years,

75
00:02:39,990 --> 00:02:42,240
attackers and hackers have used ICMP

76
00:02:42,240 --> 00:02:44,160
as part of their network attacks.

77
00:02:44,160 --> 00:02:46,440
For example, the ICMP Flood Attack

78
00:02:46,440 --> 00:02:49,170
and the Ping of Death are two common network-based attacks

79
00:02:49,170 --> 00:02:51,900
that exploit the Internet Control Message Protocol.

80
00:02:51,900 --> 00:02:54,390
An ICMP Flood Attack is a type of attack

81
00:02:54,390 --> 00:02:56,400
that involves overwhelming a target machine

82
00:02:56,400 --> 00:02:59,400
with a large number of ICMP Echo Request packets,

83
00:02:59,400 --> 00:03:01,440
also known as Ping packets.

84
00:03:01,440 --> 00:03:03,420
This type of attack is typically done

85
00:03:03,420 --> 00:03:05,850
as fast as possible without waiting for replies

86
00:03:05,850 --> 00:03:08,370
in order to consume the target system's resources

87
00:03:08,370 --> 00:03:10,620
such as its bandwidth and its processing power

88
00:03:10,620 --> 00:03:12,270
to the point where it can no longer handle

89
00:03:12,270 --> 00:03:15,060
legitimate requests from its actual users.

90
00:03:15,060 --> 00:03:16,140
This leads to what we call

91
00:03:16,140 --> 00:03:18,303
a Denial of Service condition or DoS.

92
00:03:19,350 --> 00:03:21,810
Now, a Denial of Service situation will actually occur

93
00:03:21,810 --> 00:03:24,150
because legitimate users cannot receive services

94
00:03:24,150 --> 00:03:25,050
from the system,

95
00:03:25,050 --> 00:03:26,430
because it's currently being subjected

96
00:03:26,430 --> 00:03:28,500
to an ICMP Flood Attack.

97
00:03:28,500 --> 00:03:29,580
These days though,

98
00:03:29,580 --> 00:03:31,470
this type of attack has to be amplified

99
00:03:31,470 --> 00:03:33,000
from a Denial of Service Attack

100
00:03:33,000 --> 00:03:35,220
up to a Distributed Denial of Service Attack

101
00:03:35,220 --> 00:03:36,720
for it to be effective.

102
00:03:36,720 --> 00:03:38,760
Now, a Distributed Denial of Service Attack,

103
00:03:38,760 --> 00:03:41,340
also known as a DDoS or DDoS,

104
00:03:41,340 --> 00:03:43,200
will occur when an attacker uses a network

105
00:03:43,200 --> 00:03:44,520
of compromised computers,

106
00:03:44,520 --> 00:03:45,630
known as botnets,

107
00:03:45,630 --> 00:03:48,060
to generate a significant amount of traffic.

108
00:03:48,060 --> 00:03:50,130
Distributed Denial of Service Attacks make

109
00:03:50,130 --> 00:03:51,510
the attack more powerful,

110
00:03:51,510 --> 00:03:52,920
harder to defend against,

111
00:03:52,920 --> 00:03:54,300
and more difficult to trace back

112
00:03:54,300 --> 00:03:55,740
to the original source of the attack

113
00:03:55,740 --> 00:03:57,630
because numerous machines are being used

114
00:03:57,630 --> 00:03:59,790
to attack the system all at once.

115
00:03:59,790 --> 00:04:01,560
This kind of ICMP Flood Attack

116
00:04:01,560 --> 00:04:04,770
is used to severely disrupt your network operations.

117
00:04:04,770 --> 00:04:05,940
Now, the other one we have

118
00:04:05,940 --> 00:04:07,800
is what's known as the Ping of Death.

119
00:04:07,800 --> 00:04:09,420
The Ping of Death is a type of attack

120
00:04:09,420 --> 00:04:10,680
that exploits a vulnerability

121
00:04:10,680 --> 00:04:11,820
that existed in older,

122
00:04:11,820 --> 00:04:14,490
unpatched systems where the attacker sends malformed

123
00:04:14,490 --> 00:04:18,120
or oversized packets using the ICMP protocol.

124
00:04:18,120 --> 00:04:20,850
Traditionally, the maximum size of an IP packet,

125
00:04:20,850 --> 00:04:22,050
including its headers,

126
00:04:22,050 --> 00:04:25,740
is limited to 65,535 bytes.

127
00:04:25,740 --> 00:04:27,450
In the Ping of Death attack though,

128
00:04:27,450 --> 00:04:30,180
the attacker crafts an ICMP Echo Request packet

129
00:04:30,180 --> 00:04:31,200
or ping packet,

130
00:04:31,200 --> 00:04:33,450
that's actually larger than this in size.

131
00:04:33,450 --> 00:04:34,590
When the target system tries

132
00:04:34,590 --> 00:04:36,630
to reassemble these oversized packets,

133
00:04:36,630 --> 00:04:38,310
it can lead to buffer overflows,

134
00:04:38,310 --> 00:04:39,210
system crashes,

135
00:04:39,210 --> 00:04:40,920
or other unpredictable behavior

136
00:04:40,920 --> 00:04:43,560
that usually results in a Denial of Service attack happening

137
00:04:43,560 --> 00:04:45,330
on that victimized system.

138
00:04:45,330 --> 00:04:46,590
Thankfully, for us though,

139
00:04:46,590 --> 00:04:47,910
most modern operating systems

140
00:04:47,910 --> 00:04:49,710
and network equipment are no longer vulnerable

141
00:04:49,710 --> 00:04:52,500
to this type of an attack due to improved security measures

142
00:04:52,500 --> 00:04:55,230
and patches that handle packet size correctly.

143
00:04:55,230 --> 00:04:57,600
But it's still a term you'll hear out in the real world,

144
00:04:57,600 --> 00:04:58,920
and so I wanted to make sure you understood

145
00:04:58,920 --> 00:05:01,560
the concept behind a Ping of Death attack.

146
00:05:01,560 --> 00:05:03,120
Now, because of these vulnerabilities

147
00:05:03,120 --> 00:05:05,580
that have been exploited in the ICMP protocol,

148
00:05:05,580 --> 00:05:07,590
many network administrators will actually choose

149
00:05:07,590 --> 00:05:09,210
to block ICMP traffic

150
00:05:09,210 --> 00:05:11,640
at their boundary firewalls and routers.

151
00:05:11,640 --> 00:05:13,650
This can help to harden and secure the network,

152
00:05:13,650 --> 00:05:14,820
but it does make troubleshooting

153
00:05:14,820 --> 00:05:17,190
your network connectivity issues a little bit harder,

154
00:05:17,190 --> 00:05:18,023
because you'll be unable

155
00:05:18,023 --> 00:05:19,950
to use tools like ping and traceroute

156
00:05:19,950 --> 00:05:22,530
to determine if network connectivity is working properly

157
00:05:22,530 --> 00:05:25,470
because your firewall is going to drop your ICMP packets

158
00:05:25,470 --> 00:05:27,570
or return a host unreachable error,

159
00:05:27,570 --> 00:05:29,130
even if the host is powered on

160
00:05:29,130 --> 00:05:30,810
and properly connected to your network,

161
00:05:30,810 --> 00:05:33,180
because that ICMP traffic is being blocked

162
00:05:33,180 --> 00:05:35,010
by your router or firewall.

163
00:05:35,010 --> 00:05:37,590
So remember, the Internet Control Message Protocol

164
00:05:37,590 --> 00:05:40,170
is a network diagnostic and error reporting tool,

165
00:05:40,170 --> 00:05:43,860
not a transport protocol like TCP or UDP.

166
00:05:43,860 --> 00:05:46,710
ICMP is encapsulated within the IP packets,

167
00:05:46,710 --> 00:05:48,840
and it's essential for tasks like network troubleshooting

168
00:05:48,840 --> 00:05:51,030
with tools like ping and traceroute.

169
00:05:51,030 --> 00:05:54,270
Be aware, the ICMP Protocol does have some vulnerabilities

170
00:05:54,270 --> 00:05:55,920
that have been exploited by attackers

171
00:05:55,920 --> 00:05:59,040
such as using the protocol as part of an ICMP Flood Attack

172
00:05:59,040 --> 00:06:00,780
or sending oversized ping packets

173
00:06:00,780 --> 00:06:03,450
to create a Ping of Death on older legacy systems

174
00:06:03,450 --> 00:06:05,200
and network infrastructure devices.