ICMP in Network Security

Questions and Answers

Which type of network is typically confined to a city, a zip code, a campus, or office park?

WAN

MAN (correct)

GAN

PAN

What is the Global Information Grid (GIG)?

A Personal Area Network (PAN)

One of the largest private networks in the world

The U.S. Department of Defense global network (correct)

A global collection of WANs

What range characterizes a PAN (Personal Area Network)?

1 kilometer or more

10 kilometers or less

1 mile or more

100 meters or less (correct)

What is the primary difference between an Intranet and the Internet?

The Internet is public, while an Intranet is private.

What characteristic defines a GAN (Global Area Network)?

Covers cities, states, or countries

What technology do low-power wireless technologies like Bluetooth commonly use?

PANs

What is one of the security challenges introduced by IPv6 autoconfiguration?

Automatic link-local address configuration

In the context of IPv6, what does it mean when a host can communicate with other link-local addresses on the same LAN?

The host is limited to communicating with local devices on the same LAN.

What can happen when ISPs enable IPv6 service without the customer's knowledge?

Potential for launching attacks or exfiltrating data via IPv6

Why are network intrusion detection systems often not configured to 'see' IPv6 traffic?

Limited experience or understanding of IPv6 by professionals

What is recommended as a fundamental part of system hardening in relation to IPv6?

Disabling unnecessary network services

How can IPv6 be disabled on a Windows host?

Unchecking the “Internet protocol Version 6” box in network adapter properties

What does an unanswered ping (an ICMP Echo Request with no Echo Reply) suggest?

The host is up and the ICMP was filtered.

How does the Time to Live (TTL) field prevent routing loops?

By decreasing with every hop a packet makes.

What message does a router send when it decrements a packet's TTL to zero?

ICMP Time Exceeded

In the traceroute process, what does it mean when a router is identified?

The traceroute has successfully mapped the router on the network path.

Why does the traceroute client send a packet with a TTL of 1 to begin the route tracing process?

To identify the first router immediately.

What technique does traceroute use to uncover intermediate routers between a client and a server?

Using UDP packets

Which protocol provides a simpler way to transfer files, often used for saving router configurations or bootstrapping via a network by diskless workstations?

TFTP

Why is Passive FTP more likely to pass through firewalls cleanly?

Because it flows in classic client-server direction

Which protocol was designed as a secure replacement for Telnet, FTP, and UNIX 'R' commands?

SSH

What port does SSH servers listen on by default?

Port 22

Which protocol is NOT recommended for transferring sensitive data over an insecure channel?

Telnet

What is a characteristic of TFTP regarding directory structure?

It usually writes to the /tftpboot directory

What is the main goal of a DNS cache poisoning attack?

To trick a caching DNS server into caching a forged response

How does DNSSEC enhance DNS responses?

By providing authentication and integrity using public key encryption

Why is building an Internet-scale Public Key Infrastructure challenging?

Because it requires widespread adoption and management of public keys

What event in 2008 led to an increased call for the adoption of DNSSEC?

Publicizing an improved DNS cache poisoning attack by Dan Kaminsky

What is the primary function of SNMP in network management?

To monitor network devices and collect performance data

Which port is commonly used by SNMP agents for communication?

UDP port 161

Study Notes

Network Types

• Metropolitan Area Network (MAN) is typically confined to a city, a zip code, a campus, or office park.
• Global Information Grid (GIG) is a network that provides a secure, high-speed network for the US Department of Defense.

PAN (Personal Area Network)

• Characterized by a range of around 10 meters or less.

Intranet and Internet

• The primary difference between an Intranet and the Internet is that an Intranet is a private network, whereas the Internet is a public network.

GAN (Global Area Network)

• Characterized by its ability to span multiple countries and continents.

Low-Power Wireless Technologies

• Technologies like Bluetooth commonly use frequency hopping spread spectrum technology.

IPv6 Autoconfiguration

• One of the security challenges introduced by IPv6 autoconfiguration is the potential for rogue devices to autoconfigure and connect to the network.

IPv6 Communication

• When a host can communicate with other link-local addresses on the same LAN, it means that the host can communicate with other devices on the same network.

IPv6 and ISPs

• If ISPs enable IPv6 service without the customer's knowledge, it can lead to potential security risks and Configuration issues.

Network Intrusion Detection Systems

• Network intrusion detection systems are often not configured to 'see' IPv6 traffic, which can lead to potential security risks.

System Hardening

• Disabling IPv6 on systems that do not use it is recommended as a fundamental part of system hardening.

Disabling IPv6

• IPv6 can be disabled on a Windows host by going to the Network and Sharing Center and disabling IPv6.

Ping

• An unanswered ping (an ICMP Echo Request with no Echo Reply) suggests that the host is not reachable or is not responding to ping requests.

Time to Live (TTL)

• The TTL field prevents routing loops by decrementing the TTL value each time a packet passes through a router, and discarding the packet when the TTL value reaches zero.

Router Messages

• When a router decrements a packet's TTL to zero, it sends an ICMP Time Exceeded message.

Traceroute

• In the traceroute process, when a router is identified, it means that the router has responded to the packet with a TTL of 1.
• The traceroute client sends a packet with a TTL of 1 to begin the route tracing process to identify the first hop.
• Traceroute uses the ICMP Time Exceeded message to uncover intermediate routers between a client and a server.

File Transfer

• The Trivial File Transfer Protocol (TFTP) provides a simpler way to transfer files, often used for saving router configurations or bootstrapping via a network by diskless workstations.

FTP

• Passive FTP is more likely to pass through firewalls cleanly because it uses a random port for data transfer, making it easier to configure firewalls.

Secure Shell (SSH)

• SSH was designed as a secure replacement for Telnet, FTP, and UNIX 'R' commands.
• SSH servers listen on port 22 by default.

Insecure Channel

• Telnet is not recommended for transferring sensitive data over an insecure channel.

TFTP

• A characteristic of TFTP is that it does not support directory structure.

DNS Cache Poisoning

• The main goal of a DNS cache poisoning attack is to inject fake DNS data into a DNS cache, leading to redirection of users to fake websites.

DNSSEC

• DNSSEC enhances DNS responses by providing digital signatures that verify the authenticity of DNS data.

Public Key Infrastructure

• Building an Internet-scale Public Key Infrastructure is challenging because it requires a global system of trust.
• The 2008 DNS cache poisoning attack led to an increased call for the adoption of DNSSEC.

SNMP

• The primary function of SNMP in network management is to monitor and manage network devices.
• SNMP agents commonly use port 161 for communication.

Description

Learn about the role of ICMP in network security, including how attackers use it to map target networks and the importance of filtering certain types of ICMP messages. Explore how an unanswered ping does not necessarily mean a host is down, and how the traceroute command utilizes ICMP Time Exceeded messages to trace network routes.