We will learn about Theoretical Methodology for Detecting ICMP Reflected Attacks in this article.
What is Theoretical Methodology for Detecting ICMP Reflected Attacks?
There are many different ways to trace the original source of a DoS attack, but these techniques are not effective enough to trace a bounced ICMP attack. When I say “bounced ICMP attack” I mean a SMURF attack. Here I will show you a new backtracking model of DOS reflection attack caused by ICMP packets. This is a very effective method because you can do it with really few attack packets. We have seen that to detect ICMP attacks in a direct attack we need to review a large number of packets, which is not true in this case.
In this digital era, it is really difficult to protect your network from DOS attack. Big brands have faced this type of attack even after securing their network. It is the host’s responsibility to send and receive packets from its network to the client and vice versa. The destination is responsible for receiving and validating the packet sent by the source.
There are two types of attacks.
- Direct attacks
- Indirect/reflex attacks
A direct attack is explained by its name: Packets are sent directly to the victim. However, in a reflection attack, the packets are sent to an intermediate network and then go to the victim. This intermediary network can be a custom proxy or a custom network. the SMURF attack is an example of a reflex attack. The attacker sends ICMP echo packets to the network; this is called an amplifier. This is done using the source address, which is the IP address of the victim. Finally, the machine sends a response to the victim’s machine. This thing is shown in the picture below.
How many responses it gets depends on the number of machines connected to that network of amplifiers. This attack is easy to implement and hard to detect because a single identity can attack a large enterprise, even using very few machines or resources. Now I will show you a new theoretical method to trace back a reflective ICMP flood attack.
To trace back ICMP reflection packets we need to understand the following terms;
- Marking of packets
This is a very basic approach where the router itself adds some information to the packet. In this way, the router can locate the source of the packet flow. This router adds an IP address to the packet header of any packet. The victim creates an attack path after receiving the mark. This designation is the address of the router that lies between the attacker and the victim. In this case, the victim will need a ton of packets to reconstruct the path. To perform this process, both the single router and the participating routers will need multiple packets to transmit on their own IP address.
Figure 1. Marking in IP header
- ICMP trace back
In this case, the reconstructed path is generated by sending the out-of-band traceback details to the destination by the router. There is an old method called iTrace in which the router sends ICMP echo packets to the destination with the attack path. As a result, these packets contain details about the marking router. After collecting these ICMP packets, the victim traces back the information. The victim then reconstructs the attack path.
In this approach, routers send out-of-band traceback information to the destination of the flow to reconstruct the attack path. Bellovin proposed iTrace . Routers send ICMP packets along with the attack path to another destination. ICMP packets contain information about the marking router. The victim collects ICMP packets during the attack and obtains feedback. The victim will be able to reconstruct the path of the attack.
With this new method, fewer signaling packets are used to send to the destination. Any studies that have been done so far do not look at reflex attacks. These methods only deal with direct attacks.
Problems encountered during backtracking
In packet logging, the hash value will be different after reflection, so the traceback approach is not useful in that case.
When marking packets, the identification field will be different after each bounce. Additionally, the victim only receives the mark after a successful reflection, so backtracking is not useful in that case.
In the traditional ICMP tracking method, the packets received by the victim only contain information about the path between the amplifier network and the victim, so there will be no legitimate and correct real information about the attacker.
Trackback ICMP attacks
ICMP echo packets are just request and response echo packets. This is a new approach for tracing back ICMP packets, whether they are direct or indirect packets. It’s a new way of marking. In this method, the data field carries all the tracking feedback. The researchers noticed that ICMP behavior remains the same after a request and a response. In this method, the machine responds with the exact data field contained in the request after receiving a request that also contains the same data field. So if there is any change in the data field, both receiver and sender will know about it. Therefore, packets are sent with this new marking technique, which is explained below.
If a computer receives an ICMP response request, it responds with the same data field as the response request contains. So any change in the data field, either in the request or in the response, will be received by the destination. In a direct ICMP attack, the attacker floods the victim with either ICMP requests or responses with our label for each ICMP echo packet:
In this methodology, it does not matter whether the packet is direct or reflected. Using this technique, the marking router inserts the address into the data field in the ICMP message in both the request and the response. Given the remaining unaltered data field, the victim receives all feedback related to the path between the mid-amp network and the attacker.
The problem with this approach. One packet goes through 15 or more different routers. This requires a large amount of space to store the labels of all the routers information. We have limited storage space for tracking information.
Solution. The researchers used a probabilistic technique to record the complete path starting from the attacker and ending to the target in the correct flow.
The victim will get different IP addresses in any attack. Now he will have to reconstruct the path of attack. To do this, the router copies the various TTL fields with their respective IP addresses into the data field. The router uses different TTL bits to distinguish between echo requests and echo responses. Then the victim uses all these bits to create an attack path. This scenario is explained in the image below.
Figure 23. New Marking Process of Data Field
So far I have talked about the theoretical technique. In real life, the practical implementation should be done as shown in the figure below. The researchers designed this method of implementation in a virtual environment using five routers, three reflectors, and a victim and attacker machine as shown in the figure. One packet travels from the attacker to the victim, but a necessary condition is that the packet must pass through all the routers that are implemented in the virtual lab.
Figure 3 : Scenario of Implementation of this new marking technique
Here all the machines are running Linux systems and the routers also enable a packet forwarding mechanism to mark each ICMP echo request and response packet. A SMURF attack is then launched, in which the attacker sends packets to the victim; packets go through all routers. It is the responsibility of each router to tag all packets with their respective TTL and IP addresses. Then the receiver receives all the packets, analyzes them and reconstructs the beginning of the attack path. So we can trace back ICMP reflection attacks using a very small number of packets.
Using this technique, ICMP DoS attacks can be traced back, including direct and reflection attacks. Reflex attacks are known as SMURF attacks.
- Guerid, H.; Serhrouchni, A.; Achemlal, M.; Mittig, K., “A Novel Traceback Approach for Direct and Reflected ICMP Attacks,” Network and Information Systems Security (SAR-SSI).
- Chao G & Kamil S. IP Traceback Based on Packet Marking and Logging.