4.8 Interpret the fields in protocol headers as related to intrusion analysis
📘Cisco Certified CyberOps Associate (200-201 CBROPS)
ICMP in Network Security and Intrusion Analysis
ICMP is a network-layer protocol used mainly for diagnosis and reporting errors in IP networks. Unlike TCP or UDP, ICMP is not for sending user data—it’s used for control messages, like telling a host that a destination is unreachable, or confirming a host is alive.
In intrusion analysis, ICMP can reveal:
- Network scanning activities (like ping sweeps)
- Host discovery attempts
- ICMP-based attacks (e.g., ICMP flood, Smurf attacks, or tunneling data inside ICMP packets)
ICMP Header Fields
An ICMP packet sits inside an IP packet. Its header is simple but important. Let’s go through it field by field:
1. Type (8 bits)
- This tells you what kind of ICMP message it is.
- Example types you need to know for the exam:
| Type | Meaning | Notes |
|---|---|---|
| 0 | Echo Reply | Response to a ping request (Type 8) |
| 3 | Destination Unreachable | Indicates that a host or network can’t be reached |
| 4 | Source Quench | Obsolete; used to slow down traffic |
| 5 | Redirect | Tells a host to use a different route |
| 8 | Echo Request | Ping message to check if a host is alive |
| 11 | Time Exceeded | TTL expired; often seen in traceroute |
Exam Tip: If you see Type 8 or 0, think ping. Type 3 = unreachable.
2. Code (8 bits)
- Provides more detail about the Type.
- For example, Type 3 (Destination Unreachable) has codes like:
| Code | Meaning |
|---|---|
| 0 | Network unreachable |
| 1 | Host unreachable |
| 2 | Protocol unreachable |
| 3 | Port unreachable |
This helps analysts pinpoint the exact problem in the network.
Exam Tip: Type and Code together tell you exactly why the ICMP message was sent.
3. Checksum (16 bits)
- Used to verify the integrity of the ICMP header and data.
- The network device receiving the packet calculates the checksum; if it doesn’t match, the packet is corrupted and dropped.
Exam Tip: In intrusion analysis, mismatched checksums may indicate malformed ICMP packets, which could be part of an attack.
4. Rest of Header / Data (variable)
- Depends on the Type and Code.
- Examples:
| Type | Data Field Example | Purpose |
|---|---|---|
| 0/8 | Identifier + Sequence Number | Used to match requests and replies (ping tracking) |
| 3/11 | Original IP header + first 8 bytes of payload | Helps sender know which packet caused the error |
Analyst Use: By checking this field, you can trace the offending packet back to its source.
ICMP and Intrusion Analysis Examples
- Ping Sweeps / Host Discovery
- Attackers send ICMP Echo Requests (Type 8) to multiple IPs to see which hosts respond (Type 0).
- Analysts look at unusual volume of Type 8 requests to detect scans.
- Traceroute & TTL Analysis
- Type 11 (Time Exceeded) messages are used by legitimate tools (traceroute) but can also reveal network mapping attempts.
- ICMP Flood / DDoS
- Lots of ICMP Echo Requests to a single host can overwhelm it.
- Analysts monitor ICMP traffic spikes and abnormal Type/Code patterns.
- Error Tracking
- Type 3 messages (Destination Unreachable) can reveal misconfigured networks or malicious probing.
Tips for the Exam
- Know the common Type/Code pairs.
- Understand what each field does, especially Type, Code, and Checksum.
- Recognize ICMP traffic patterns that indicate scans or attacks.
- Be able to interpret ICMP headers in Wireshark/PCAP for intrusion analysis.
Summary Table: ICMP Header Fields
| Field | Size | Purpose | Key Points for Analysis |
|---|---|---|---|
| Type | 8 bits | Message type | Ping = 8/0, Unreachable = 3, TTL expired = 11 |
| Code | 8 bits | Detailed reason | e.g., Type 3 Code 1 = host unreachable |
| Checksum | 16 bits | Integrity check | Corruption or crafted packets may indicate attacks |
| Data / Rest | Variable | Extra info | Identifier, Sequence, original IP header |
By understanding these fields, students can interpret ICMP messages, spot scanning and attacks, and analyze network traffic for intrusion signs—all critical for the exam.
