ICMP is part of the Internet protocol suite as defined in RFC 792. ICMP messages are typically used for diagnostic or control purposes or generated in response to errors in IP operations (as specified in RFC 1122). ICMP errors are directed to the source IP address of the originating packet.
For example, every device (such as an intermediate router) forwarding an IP datagram first decrements the time to live (TTL) field in the IP header by one. If the resulting TTL is 0, the packet is discarded and an ICMP time exceeded message is sent to the datagram's source address.
Many commonly used network utilities are based on ICMP messages. The traceroute command can be implemented by transmitting IP datagrams with specially set IP TTL header fields, and looking for ICMP time exceeded in transit and destination unreachable messages generated in response. The related ping utility is implemented using the ICMP echo request and echo reply messages.
ICMP uses the basic support of IP as if it were a higher-level protocol, however, ICMP is actually an integral part of IP. Although ICMP messages are contained within standard IP packets, ICMP messages are usually processed as a special case, distinguished from normal IP processing. In many cases, it is necessary to inspect the contents of the ICMP message and deliver the appropriate error message to the application responsible for transmitting the IP packet that prompted the ICMP message to be sent.
ICMP is a network-layer protocol; this makes it a layer 3 protocol in the seven-layer OSI model. Based on the four-layer TCP/IP model, ICMP is an internet-layer protocol, which makes it a layer 2 protocol in the Internet Standard RFC 1122 TCP/IP four-layer model or a layer 3 protocol in the modern five-layer TCP/IP protocol definitions.
There is no port number associated with an ICMP packet, as these numbers are associated with protocols in the transport layer above, such as TCP and UDP.
This have little to do with security. For example knowing device location and ability to synchronization with internet atomic clocks can tell anyway. What devices synchronised manually those days. To us special conditions must be fulfilled to be even considered an risk, but to protect ourselves from not yet knowing we advise to disable.
So how to do it?
Using nftables:
To clear all existing rules use:
Code: Select all
nft flush rulesetCode: Select all
nft add table ip filter
nft add chain ip filter INPUT { type filter hook input priority filter\; policy accept\; }Code: Select all
nft add rule ip filter INPUT icmp type timestamp-request counter reject with icmp type host-prohibited
nft add rule ip filter INPUT icmp type timestamp-reply counter reject with icmp type host-prohibitedCode: Select all
nft list ruleset
mv /etc/sysconfig/nftables.conf /etc/sysconfig/nftables.conf-save.$(date +%m%d-%H%M)
nft list ruleset > /etc/sysconfig/nftables.confThe types of messages must be specified with option "--icmp-type <icmptype_name>" as shown below:
The below command to block icmp-type timestamp-request(13) and timestamp-reply(14)
Code: Select all
iptables -A INPUT -p icmp --icmp-type timestamp-request -j REJECT --reject-with icmp-host-prohibitedCode: Select all
iptables -A INPUT -p icmp --icmp-type timestamp-reply -j REJECT --reject-with icmp-host-prohibitedCode: Select all
service iptables save1. Basic Timestamp Scan:
Code: Select all
nmap -sn -PP <target>2. Combining with other scan types:
You can combine the -PP option with other scan types, for example, to perform a TCP connect scan and ICMP timestamp scan:
Code: Select all
nmap -sT -PP <target>3. Understanding the options:
-sn: Disables port scanning and performs only host discovery. This means Nmap will not try to determine open ports, it will only check if the host is reachable.
-PP: Specifies that Nmap should use ICMP timestamp requests (type 13) for host discovery.
-sT: Performs a TCP connect scan. This is a basic scan that connects to the specified ports.
4. Interpreting the output:
If a host responds with an ICMP timestamp reply (type 14), Nmap will identify it as a live host.
5. Firewall Considerations:
ICMP messages, including timestamp requests, can be blocked by firewalls. If you are not receiving responses, it's possible that the target or a firewall in between is blocking ICMP traffic.
By using the -PP option, you can effectively scan for hosts using ICMP timestamp requests, providing another method for host discovery in your Nmap scans
nping tool (available in RHEL repositories) can be used to verify the ICMP timestamps have been disabled.
The nping tool is bundled as part of the nmap suite.
Code: Select all
nping --icmp --icmp-type timestamp --dest-ip <IP Address>