Thursday, March 6, 2014

Everything you need to know about Ping, and more

Ping is one of - or maybe it is - the first network diagnostic tools invented, and usually the first used in the analyses network issues. 


How does it work

Ping makes use of timed IP/ICMP Echo and Echo Reply messages, as defined by RFC 792 to probe a network host.
















Network reachability

An Echo message is simply called a 'ping'. The Echo Reply message is the 'ping reply'. A few simple pings will show if the 2 hosts have their TCP/IP stacks configured correctly and if there are any problems with the routes packets are taking in order to get to the other side, and back (e.i. reachability).

On the right we can look inside such an Echo message before it is send. We see the IP header, which is 20 bytes. It indicates, the source and destination IP addresses, and that it carries an ICMP packet.

Next we see the ICMP header, which is 8 bytes. The ICMP header includes the type information, an Echo Request.

And lastly we see the payload portion, which is indicated as Raw. I'll come back to it later.

On the left we see the ICMP Echo Reply message. Again the first 20 bytes is the IP header, containing the source and destination addresses. Which are now reversed.

Next, the ICMP header, again 8 bytes long, indicating that the message type is an Echo Reply. After the ICMP type field, there is a ICMP code field. The error code, or the type of error. (0<= Code <= 16).



On the right, you see an example of the use of the ICMP code field. In this example I pinged google.com again, but set the Time To Live to 5. Which means that the IP packet is allowed to jump 5 layer-3 hops. Google.com is further away than 5 hops. 

The router 5 hops away who was the last to receive the ICMP Echo packet, responds to indicated, to the sender that it was not able to send the ping to the intended destination. In the IP header, we see the source address of that router.

In he ICMP header contains a ICMP type 11 Time Exceeded message. And it includes the ICMP type code 0: "time to live exceeded in transit". 

Next we see a block called IP in ICMP, this is part of the payload portion which I promised we would come back to. This contains the original IP header plus the first 64 bits or 8 byte of the original datagram's data. Since the ICMP header is 8 bytes, that is what is included in the block called ICMP in ICMP. This data is used by the original sender to match the message to the appropriate process.

 In the example on the left we see an ICMP Destination Unreachable message, as a response to a ping that had the 'Do not Fragment' bit set, and exceeded the Maximum Transmission Unit.

Again the IP header contains the source and destination addresses. The source is the router that informs us, that it could not forward the original ICMP Echo message. 

The ICMP header contains the type 3 Destination Unreachable message. And includes the ICMP type code 4: "fragmentation needed and DF set"

And as in the previous example the IP in ICMP and ICMP in ICMP are the original IP and ICMP header.

These examples are obviously just a few of the many possible ICMP message types.

On Cisco routers, characters are used to indicate what type of ICMP reply message was sent back. In the table below you will find an overview of the characters and their description.



Network performance measurement

Apart from connectivity testing ping is also used to measure two types of network performance indicators, latency and bandwidth.

Latency

Latency is the delay data traveling over the network experiences, usually measured in milliseconds.

After the sender of ICMP Echo receives a ICMP Echo Reply message, it compares the time it sent the Echo to the time it received the Echo Reply, and calculates the time difference between the two. This is called the Round Trip Time, more commonly referred to as RTT.

R1#ping 192.168.100.100 size 1500 repeat 2 df-bit

 Type escape sequence to abort.
Sending 2, 1500-byte ICMP Echos to 192.168.100.100, timeout is 2 seconds:
Packet sent with the DF bit set
!!

 Success rate is 100 percent (2/2), round-trip min/avg/max = 2/16/29 ms

NOTE: Routers make use of queues to store the electrical - or laser - pulses until enough of them are received to have enough information to analyse them. After which the data is sent from these queues to the processor of the router, which also make use of separate queues - commonly known as cache - to store data which it is analyzing. ICMP packets have a low priority. If the router is handling traffic near its capacity it will drop ICMP packet from its queues. 

Available bandwidth 

Ping can also be used to measure the available bandwidth per second. Which becomes less as the latency increases, this will become glaringly obvious from the following example where we will do a ping to IP 192.168.100.100, on a 54Mbit/s 802.11g connection.
54Mbit/s = 54000Kbit/s
(54000Kbit/s / 8bit) / 18 kbyte = 375 packets

R1#ping 192.168.100.100 size 18000 repeat 375

Type escape sequence to abort.
Sending 375, 18000-byte ICMP Echos to 192.168.100.100, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (375/375), round-trip min/avg/max = 12/20/256 ms

We calculate the available bandwidth by dividing the bandwidth by the latency, while compensating for the comma shift. Notice that the bandwidth will drop if packet loss occurs.


((18000 byte X 8 bit X 375 received packets) / 100) / 0.020 xseconds = 27Mbit/s

(54Mbit/s / 100) / 0.020 seconds = 27Mbit/s

0,54 / 0.020 seconds = 27Mbit/s


Size Matters

Keep in mind that there are differences between how different vendors handle the size option of the ping command.

On Cisco equipment the size option specifies the size of the total ping packet, that is IP header, ICMP header, and payload. 

R1#ping 192.168.100.100 size 1500 repeat 2 df-bit

 Type escape sequence to abort.
Sending 2, 1500-byte ICMP Echos to 192.168.100.100, timeout is 2 seconds:
Packet sent with the DF bit set
!!

 Success rate is 100 percent (2/2), round-trip min/avg/max = 2/16/29 ms


On Juniper equipment, the size option only specifies the payload. So when you want to ping with the DF bit set, at 1500 bytes use the following command:

root@olive> ping 192.168.100.100 size 1472 count 2 do-not-fragment   
PING 192.168.222.100 (192.168.100.100): 1472 data bytes
1480 bytes from 192.168.100.100: icmp_seq=0 ttl=255 time=27.549 ms
1480 bytes from 192.168.100.100: icmp_seq=1 ttl=255 time=34.765 ms

 --- 192.168.100.100 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 27.549/31.157/34.765/3.608 ms



Microsoft Windows follows that same logic. The size option only specifies the payload, as seen below:

C:\Users\>ping 192.168.100.100 -l 1472 -n 2 -f

 Pinging 192.168.100.100 with 1472 bytes of data:
Reply from 192.168.100.100: bytes=1472 time=3ms TTL=255
Reply from 192.168.100.100: bytes=1472 time=29ms TTL=255

 Ping statistics for 192.168.100.100:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:

     Minimum = 3ms, Maximum = 29ms, Average = 16ms


Linux agrees and the size option there also only applies to the payload, as seen below:

$ ping -c 2 -s 1472 -M do 192.168.100.100
PING 192.168.100.100 (192.168.100.100) 1472(1500) bytes of data.
1480 bytes from 192.168.100.100: icmp_seq=1 ttl=255 time=20.6 ms
1480 bytes from 192.168.100.100: icmp_seq=2 ttl=255 time=11.5 ms

 --- 192.168.100.100 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 11.566/16.133/20.661/4.549 ms


Ping of Death

The Ping of Death is a ICMP Echo that violates the maximum length of an IP packet as defined in RFC 791 to be 65,535 octets long, including the header. As discussed earlier a IP packet exceeding the MTU, will be fragmented. A lot of operating systems, did not process the IP packet until they had all fragments and then tried to reassemble it. This lead to the overflow of the 16-bit packet buffer, and thus to system crashes, reboots, and kernel panics.

Most operating systems after 1998 are hardened against Ping of Death attacks and even attempt to prevent you from sending one.

The only tool on Windows that allows you to send a Ping of Death packet is Scapy, which you can find here. From the CLI of Scapy you can send the 'special' ping with this command:

>>>send(fragment(IP(dst="192.168.100.100")/ICMP()/("F"*65530)))


Smurf Attack

The Smurf Attack, is an ICMP Echo messages to a broadcast address, with a spoofed source address. Basically burring the uplink of the victim with ping Echo Reply messages of all the hosts on that broadcast domain.

Today's computers, and network equipment is secured against this type of attack. Most operating systems by default, do not reply to ICMP messages directed to the network broadcast address. Also ISPs have taken steps to prevent their customers from sending traffic with an incorrect IP source address. Lastly, both the equipment manufacturers and ISPs are denying any traffic send to broadcast addresses. 
  

 You can craft a Smurf Attack packet with Scapy, using the following command:

>>>send(IP(src="192.168.100.100", dst="192.168.100.255")/ICMP())

 With Nping, use the following command:

nping --icmp -S 192.168.100.100 192.168.100.255


ICMP Nuke

An ICMP Nuke is denial of service attack, based on a spoofed ICMP Destination Unreachable message or a spoofed ICMP Time Exceeded message. The aim of this attack is that target system breaks communications with existing connection(s). Technically it is not a "ping", but was sometimes called a Ping Nuke.


An ICMP Nuke can require some brute-forcing depending on the communication protocol attacked. For both TCP and UDP protocols, the source port needs to be guessed. And for the TCP based protocols, the sequence number needs to be guessed.

This type was a very popular type of attack against IRC channel operators, where the hacker had the aim to takeover the the channel. On the right you see an example of such an ICMP Nuke packet directed at the host IP 192.168.100.100.

 Today this type of attack is more difficult to perform, because most routers are rate-limiting ICMP Destination Unreachable, and ICMP Time Exceeded messages. And modern operating system also implement random sequence number generation, making it difficult to predict them accurately.


Ping Tunnel

A ping tunnel (also known as ICMPTX), is a tunneling where the payload portion of ping packets are used to carry TCP sessions, between a client and a proxy server. This is usually done to circumvent a firewall. You can find the original implementation of this protocol here.

at
Labels: , , , , , , , , , , , , ,

2 comments:

  1. UnknownMarch 10, 2014 at 11:37 AM

    Would be great to have some GNS 3 labs where we are able to generate the different types of pings and errors

    ReplyDelete
  2. UnknownNovember 25, 2020 at 7:20 AM

    Y

    ReplyDelete

Subscribe to: Post Comments (Atom)