icmp(Internet Control Message Protocol)報文真的是一個數據結構特別簡單的報文,雖然它使用到了ip頭部,協議位於網絡層。說它數據結構簡單主要是因爲icmp報文最主要出於網絡診斷的目的,比如檢測某個主機或者路由器是否正確到達,不像tcp,udp或者更上層協議的報文會攜帶很多額外的信息。
1.icmp報文類型
在icmp報文中最重要的只有type和code字段,其中code相當與是對type更進一步的狀態解釋。
| Type | Code | Status | Description |
|---|---|---|---|
| 0 – Echo Reply | 0 | Echo reply (used to ping) | |
| 1 and 2 | unassigned | Reserved | |
| 3 – Destination Unreachable | 0 | Destination network unreachable | |
| 1 | Destination host unreachable | ||
| 2 | Destination protocol unreachable | ||
| 3 | Destination port unreachable | ||
| 4 | Fragmentation required, and DF flag set | ||
| 5 | Source route failed | ||
| 6 | Destination network unknown | ||
| 7 | Destination host unknown | ||
| 8 | Source host isolated | ||
| 9 | Network administratively prohibited | ||
| 10 | Host administratively prohibited | ||
| 11 | Network unreachable for ToS | ||
| 12 | Host unreachable for ToS | ||
| 13 | Communication administratively prohibited | ||
| 14 | Host Precedence Violation | ||
| 15 | Precedence cutoff in effect | ||
| 4 – Source Quench | 0 | deprecated | Source quench (congestion control) |
| 5 – Redirect Message | 0 | Redirect Datagram for the Network | |
| 1 | Redirect Datagram for the Host | ||
| 2 | Redirect Datagram for the ToS & network | ||
| 3 | Redirect Datagram for the ToS & host | ||
| 6 | deprecated | Alternate Host Address | |
| 7 | unassigned | Reserved | |
| 8 – Echo Request | 0 | Echo request (used to ping) | |
| 9 – Router Advertisement | 0 | Router Advertisement | |
| 10 – Router Solicitation | 0 | Router discovery/selection/solicitation | |
| 11 – Time Exceeded | 0 | TTL expired in transit | |
| 1 | Fragment reassembly time exceeded | ||
| 12 – Parameter Problem: Bad IP header | 0 | Pointer indicates the error | |
| 1 | Missing a required option | ||
| 2 | Bad length | ||
| 13 – Timestamp | 0 | Timestamp | |
| 14 – Timestamp Reply | 0 | Timestamp reply | |
| 15 – Information Request | 0 | deprecated | Information Request |
| 16 – Information Reply | 0 | deprecated | Information Reply |
| 17 – Address Mask Request | 0 | deprecated | Address Mask Request |
| 18 – Address Mask Reply | 0 | deprecated | Address Mask Reply |
| 19 | reserved | Reserved for security | |
| 20 through 29 | reserved | Reserved for robustness experiment | |
| 30 – Traceroute | 0 | deprecated | Information Request |
| 31 | deprecated | Datagram Conversion Error | |
| 32 | deprecated | Mobile Host Redirect | |
| 33 | deprecated | Where-Are-You (originally meant for IPv6) | |
| 34 | deprecated | Here-I-Am (originally meant for IPv6) | |
| 35 | deprecated | Mobile Registration Request | |
| 36 | deprecated | Mobile Registration Reply | |
| 37 | deprecated | Domain Name Request | |
| 38 | deprecated | Domain Name Reply | |
| 39 | deprecated | SKIP Algorithm Discovery Protocol, Simple Key-Management for Internet Protocol | |
| 40 | Photuris, Security failures | ||
| 41 | experimental | ICMP for experimental mobility protocols such as Seamoby | |
| 42 through 252 | unassigned | Reserved | |
| 253 | experimental | RFC3692-style Experiment 1 | |
| 254 | experimental | RFC3692-style Experiment 2 | |
| 255 | reserved | Reserved |
2.scapy發送icmp包與woreshark抓包
發送icmp包 sr1(IP(dst="192.168.1.102")/ICMP()/"zhou") 此時type爲8
“zhou”屬於最後的padding字段,不要也罷。
sr1同樣會接收來自102主機的回覆包
In [20]: result.display()
###[ IP ]###
version = 4L
ihl = 5L
tos = 0x0
len = 32
id = 593
flags =
frag = 0L
ttl = 64
proto = icmp
chksum = 0xf46b
src = 192.168.1.102
dst = 192.168.1.106
\options \
###[ ICMP ]###
type = echo-reply
code = 0
chksum = 0x1622
id = 0x0
seq = 0x0
###[ Raw ]###
load = 'zhou'
3.防ping策略
我們通常使用的ping和traceroute命令都在悄悄的使用icmp報文去檢測主機的存活狀態。當然從網絡安全的角度來說,檢測主機是否存活是滲透的第一步,所以從win7開始就已經默認開啓了防ping規則,在linux中如果要過濾icmp包只需要在/etc/rc.local文件中添加一句echo "echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all" >>/etc/rc.d/rc.local 但是如果使用這種方法的話,連自己都不能ping別人了。所以高級一點的還是使用防火牆規則吧。 iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -j DROP.
當然如果真要較真網絡安全中檢測對方存活主機,不僅僅有icmp協議,還可以通過syn,udp等手段,當然這是後話了,不屬於本篇文章。