ICMP Address Mask Scanning is a network reconnaissance technique that leverages the Internet Control Message Protocol (ICMP) to gather subnet information from target hosts. By sending ICMP Type 17 (Address Mask Request) messages, an attacker can prompt a host to respond with its subnet mask via an ICMP Type 18 (Address Mask Reply) message. This information aids attackers in mapping the network's structure and identifying potential targets.
How Attackers Use ICMP Address Mask Scanning?
-
Subnet Discovery
By obtaining the subnet mask from a host, attackers can determine the size of the subnet and identify the range of IP addresses within it. This knowledge enables them to focus their scanning efforts on active subnets, increasing the efficiency of their reconnaissance activities.
-
Bypassing ICMP Echo Restrictions
Some networks block ICMP Echo Requests (Type 8) to prevent standard ping scans. However, they may still respond to Address Mask Requests. Attackers exploit this by using ICMP Address Mask Scanning as an alternative method to discover live hosts within the network.
-
Network Topology Mapping
Gathering subnet masks from multiple hosts allows attackers to infer the network's topology, including the segmentation and hierarchy of subnets. This information is crucial for planning targeted attacks and identifying critical network infrastructure.
-
Operating System Fingerprinting
The behavior of hosts in response to ICMP Address Mask Requests can provide clues about their operating systems. For instance, some systems may not respond to such requests, while others do, allowing attackers to make educated guesses about the OS in use.
Mitigation Strategies
To protect against ICMP Address Mask Scanning:
-
Disable ICMP Type 17 and 18 Messages: Configure network devices and hosts to ignore or block ICMP Address Mask Requests and Replies.
-
Implement Firewall Rules: Set up firewalls to filter out unnecessary ICMP traffic, especially uncommon types like Address Mask Requests.
-
Monitor Network Traffic: Use intrusion detection systems (IDS) to detect and alert on unusual ICMP traffic patterns that may indicate scanning activities.
-
Regularly Update Systems: Ensure all network devices and hosts are up-to-date with the latest security patches to mitigate known vulnerabilities.
Example Command
Using Nmap, a network scanning tool, an attacker can perform an ICMP Address Mask Scan with the following command:
nmap -sn -PM <target IP range>
This command sends ICMP Address Mask Requests to the specified IP range to identify responsive hosts and gather subnet information.
Understanding and mitigating ICMP Address Mask Scanning is essential for maintaining network security and preventing unauthorized reconnaissance activities.