5 - 1
IP Behavior III – SANS GIAC LevelTwo
- ©2000, 2001
1
IP Behavior III
Internet Control Message Protocol
(ICMP)
Hi - I am Judy Novak from the Computer Security and Incident Response Team at a military site. I am
a senior security analyst and a contractor for Jacob and Sundstrom, Inc. Once again, Stephen Northcutt
has asked me to create another webcast to explain the workings of the Internet Control Message
Protocol, better known as ICMP. Once again, I’d like to thank Bill Ralph of the NSWC Shadow team
for his insightful editing of this webcast.
ICMP is a vital part of IP and I hope to explain the role it plays in delivering messages about error
conditions it finds as well as the role in plays in delivering simple requests and replies. It is important
for the student to understand how this protocol is used for both its intended purpose as well as for
malicious purposes. ICMP in its pure state is supposed to be a relatively simple and chaste protocol,
however it has been altered to act as a conduit for evil purposes.
Some of the theory that the student will learn from this webcast is where ICMP fits in with other
protocols such as IP, TCP, and UDP. The student will also learn to understand the difference in ICMP
from the other protocols. We will follow a familiar format we’ve seen in many of the other IP behavior
webcasts of looking at the conventional ICMP traffic as well as examining how ICMP can be used for
nefarious activity.
With an understanding of ICMP, the student will be able to examine ICMP network traffic and
determine the nature of it.
5 - 2
IP Behavior III – SANS GIAC LevelTwo
- ©2000, 2001
2
Objectives
• Discuss why ICMP is needed, where it fits in, and
how it is different from the other protocols

– Explain the theory for the above topics
• Examine how ICMP is used to map networks
– Show examples using tcpdump output
• Examine classic ICMP activity
– Show examples using tcpdump output
• Examine malicious ICMP activity
– Show examples using tcpdump output
As the slide “Objectives” describes, we will cover several aspects of ICMP traffic. ICMP has a
special place among the protocols; it is unlike TCP and UDP, yet still uses IP as its network protocol.
We’ll see exactly where ICMP fits in among the other protocols and the function that it serves.
We’ll take a look at how ICMP is used to map a given network, often as part of the reconnaissance
phase to prepare for some kind of additional activity such as a scan. Next, we’ll examine the
expected behavior that ICMP exhibits, and finally, we’ll look at the many ways that ICMP has been
mutated and tainted to perform activity that it never was meant to perform.
Once armed with the insight gained from this class, you should be able to examine ICMP traffic and
determine if it is expected or deviant behavior.
5 - 3
IP Behavior III – SANS GIAC LevelTwo
- ©2000, 2001
3
ICMP Theory
In the section “ICMP Theory”, we attempt to understand the need for ICMP, how it compares with
other protocols and how it supports other protocols. We learn that ICMP has a unique purpose and a
unique method of communication.
5 - 4
IP Behavior III – SANS GIAC LevelTwo
- ©2000, 2001
4
Why do we need ICMP?
• A way to issue simple requests

• A way to inform of error conditions
port unreachable
icmp echo request
icmp echo reply
Turning to slide “Why do we need ICMP?” we examine the role that ICMP occupies among the
other protocols. As you’ll recall TCP was a connection-oriented protocol with lots of overhead
involved in assuring reliable delivery. UDP is a connectionless protocol that doesn’t promise reliable
delivery, but requires a server port with which a client can communicate.
A simple request such as determining whether a host is alive, commonly known as ping doesn’t need
ports to communicate and doesn’t require reliable delivery. This request and several more use ICMP
to deliver and respond to such traffic.
Also, what if some kind of error condition is discovered by a router or a host and it needs to inform a
sending source host of the problem? Because TCP is a more robust protocol, it handles some error
conditions such as a non-listening port by sending back a TCP response with the TCP flags of
RESET/ACK set. Also, if a TCP client or server receives too much information, it has a mechanism
to close down the receiving buffer by giving a window size of 0. This says that the receiving host
cannot accept any more data until the current buffered data is processed.
But, UDP and IP aren’t robust enough to communicate error conditions. So, that is where ICMP
comes in; it provides a simple means of communicating between hosts or a router and a host to alert
of some kind of problem situation.
5 - 5
IP Behavior III – SANS GIAC LevelTwo
- ©2000, 2001
5
Where does ICMP fit in?
• TCP/IP internet layering model
Application
Internet
Network Interface
Transport

IP
TCP and UDP
ICMP
Slide “Where does ICMP fit in?” attempts to place ICMP’s place in the TCP/IP internet layering
model. This is one model’s representation of the different layers that form data and pass the data
between hosts.
Starting at the top, we have the high level application layer activity that might represent a TCP/IP
application such as telnet. Next, we have the transport layer with such protocols as TCP and UDP
that provide the end to end communication between hosts. Beneath that is the internet layer that is
responsible for getting the datagram from source to destination. Finally, there is the network
interface layer that transmits the datagrams over the network.
What we see is that ICMP is in the same network layer as IP. ICMP is encapsulated in the IP
datagram after the IP header.
5 - 6
IP Behavior III – SANS GIAC LevelTwo
- ©2000, 2001
6
ICMP versus other protocols
• No port numbers
• No notion of client/server
• No promise of reliable delivery
• Sometimes no response expected
• Can be broadcast
x
x
x
x
Moving ahead to slide “ICMP versus other protocols”, we see that ICMP is different than TCP and
UDP in other ways. The first is that ICMP has no port numbers as are found in the transport layer
protocols. The closest thing that ICMP has to a differentiation in services is an ICMP message type

and code, the first two bytes in the ICMP header. These tell the function of the particular ICMP
message.
Next, there is really no such thing as a client and server. In fact, when ICMP error messages are
delivered, the receiving host may respond internally, but may not communicate anything back to the
informer. And, ICMP gives no guarantees about the delivery of a message.
One of the unusual traits about ICMP is that “services” do not have to be activated or listening. Just
about every operating system is capable or responding to an ICMP echo request (ping). The hard part
is turning it off. Some intrusion detection systems have echo reply disabled so that they can remain as
anonymous and undetectable as possible.
Another trait about ICMP is that it supports broadcast traffic. TCP required an exclusive client-server
relationship, but ICMP isn’t nearly as territorial. We’ll see where this flexibility in ICMP’s ability to
respond can sometimes cause problems.
5 - 7
IP Behavior III – SANS GIAC LevelTwo
- ©2000, 2001
7
ICMP speakers
• Hosts deliver ICMP queries/error messages to
other hosts
receiving host original sending host
Hey! Slow
down!!!!
ICMP source quench
Looking at slide “ICMP speakers” we try to make the point that ICMP is a protocol that IP speaking
hosts possess and use. A host will use ICMP for simple replies and requests and it will use ICMP to
inform another host of some kind of error condition.
In this slide, we see that the receiving host is having a problem keeping up with the traffic that the
sending host is delivering to it. One of the ways that a host can inform a sending host to throttle
down the delivery rate is the send it an ICMP source quench message.
5 - 8

IP Behavior III – SANS GIAC LevelTwo
- ©2000, 2001
8
ICMP speakers (2)
• Routers deliver ICMP error messages to
hosts
router
original sending host
Hey! You’re
not allowed
in my
network!!!
ICMP admin prohibited
Slide “ICMP speakers(s)” explains that ICMP is used as a mechanism by routers to inform a sending
host of some kind of problem. In the above slide, you see a router responding to a sending host with an
ICMP admin prohibited message. What this means is that the sending host attempted to send some
kind of traffic that was forbidden by an access control list statement through the router.
In a situation such as this, you would expect the router to be the sender of the message since it is the
one forbidding the activity. However, a router might also intervene to inform a sending host about a
condition when a destination host is incapable of responding. For instance, if the destination host is
unreachable, obviously the destination host is incapable of responding. So, in a situation such as this,
the router may reply instead.
Some times the act of a host or a router responding to an error condition may not be too wise. While
the router was trying to be helpful in the above slide by informing the sending host of a problem, it is
also providing information that may be used for reconnaissance purposes. The sender may then glean
some knowledge about the type of activity that the router is blocking or whether a host exists. Some
sites “silence” the router as much as possible to preclude the dissemination of unnecessary information.
5 - 9
IP Behavior III – SANS GIAC LevelTwo
- ©2000, 2001

9
ICMP listeners
• One host can speak to another host
Hello! Are
you alive?
ICMP echo request
sending host receiving host
Slide “ICMP listeners” makes a simple, perhaps obvious point that ICMP communication can be
done between two hosts that converse using IP. This is nothing unusual because that is how we see
traffic from TCP, and UDP is usually transacted between two hosts.
The ability to converse in ICMP is part of the operating system for Unix hosts. And because the
notion of ports or services doesn’t apply, a host can listen for all ICMP traffic directed to it.
5 - 10
IP Behavior III – SANS GIAC LevelTwo
- ©2000, 2001
10
ICMP listeners (2)
• One host can speak to many hosts
Is anyone
on the
network
alive?
ICMP echo request to
broadcast address
sending host receiving router
Advancing to slide “ICMP listeners(2)” we contrast the two-way communication of ICMP with that
of broadcast ICMP traffic. In this instance, we observe a sending host delivering an ICMP echo
request to the broadcast address. Now, if the router to which the activity is directed allows such
inbound activity, all active hosts on the network will receive the ICMP echo request and respond
with an ICMP echo reply.

So, as you can see, this is a good way to map a given network or overload a network. And, as we
also see, as activity on the Internet becomes less friendly, allowing such traffic through the router or
some kind of packet filtering device is not such a good idea. We’ll examine how ICMP broadcast
activity allowed in your network can be used as a denial of service against another network.
5 - 11
IP Behavior III – SANS GIAC LevelTwo
- ©2000, 2001
11
ICMP theory review
• Method for conveying error messages to IP
• Protocol unique because:
– No port numbers
– No perceived client/server
– No reliable delivery guaranteed
– Capable of being broadcast
• Just about all hosts listen and respond to ICMP
Let’s quickly summarize what we’ve learned in this short section by turning to slide “ICMP theory
review”. We learned that ICMP is a means of delivering error messages between hosts. It is
encapsulated in an IP header, but is considered part of the IP or internet layer.
ICMP is a unique protocol because it doesn’t use ports to communicate like the transport protocols
do. ICMP messages can get lost and not be delivered. ICMP messages are never used to deliver an
error about other ICMP messages because that might cause some kind of perpetual loop of reporting.
And, ICMP can be broadcast to many hosts since there is no sense of an exclusive connection.
Finally, we see where hosts and routers are the senders of ICMP messages. And, we learned that
hosts listen for ICMP and most will respond unless they deliberately have been altered for silence.
5 - 12
IP Behavior III – SANS GIAC LevelTwo
- ©2000, 2001
12
Mapping

In the section “Mapping”, we’ll show some of the mapping techniques using ICMP. Mapping is an
important part of a planned attack since reconnaissance is typically the first step of most attacks.
Mapping attempts to discover the IP numbers of live hosts in a network. Once found, any attack can be
directed at the live hosts only.
If mapping is not done and a malicious user or program attacks a network it can be very noisy and not
very productive. We saw this very recently in the RingZero trojan that infected Windows hosts. After
they were infected, they would scan hosts to find open proxy ports. One of the shortcomings of this
scanning activity was that it appeared to hit random hosts on a given network. In so doing, many IP
addresses that were not active were scanned along with the active ones. So, this was a very noisy scan
and had to do a lot of work to receive any valuable feedback. This would have been a more directed
and perhaps more informative scan, had the IP numbers that were scanned been live hosts.
You should know that since sending ICMP echo requests is one of the most common mapping
techniques, many networks will block incoming ICMP echo requests. This has motivated the hacker
world to invent other scanning methods using other protocols.
5 - 13
IP Behavior III – SANS GIAC LevelTwo
- ©2000, 2001
13
Tireless mapper
00:12:45.830000 scanner.net > 192.168.117.63: icmp: echo request
00:15:36.200000 scanner.net > 192.168.117.242: icmp: echo request
00:15:36.210000 scanner.net > 192.168.117.242: icmp: echo request
00:15:58.600000 scanner.net > 192.168.117.129: icmp: echo request
00:06:01.880000 scanner.net > 192.168.117.139: icmp: echo request
00:15:58.600000 scanner.net > 192.168.117.129: icmp: echo request
00:18:51.650000 scanner.net > 192.168.117.98: icmp: echo request
00:20:42.750000 scanner.net > 192.168.117.177: icmp: echo request
00:26:36.680000 scanner.net > 192.168.117.218: icmp: echo request
00:05:58.560000 scanner.net > 192.168.117.233: icmp: echo request
00:26:36.680000 scanner.net > 192.168.117.218: icmp: echo request

00:27:30.620000 scanner.net > 192.168.117.168: icmp: echo request
Slide “Tireless mapper” shows the classic mapping technique of sending individual ICMP echo
requests to all hosts in a given subnet. In this case, the 192.168.117 class C subnet is scanned for all
live hosts. As you can see, this is also a very noisy scan.
But, if a site doesn’t look for ICMP activity or doesn’t look for generic scan activity by examining
traffic for a one source IP to many destination host pattern, this may go unnoticed. So, the
philosophical question is - if a hostile party maps your entire network and no one is listening, does it
make any noise?
5 - 14
IP Behavior III – SANS GIAC LevelTwo
- ©2000, 2001
14
Efficient mapper
13:51:16.210000 scanner.net > 192.168.65.255: icmp: echo request
13:51:17.300000 scanner.net > 192.168.65.0: icmp: echo request
13:51:18.200000 scanner.net > 192.168.66.255: icmp: echo request
13:51:18.310000 scanner.net > 192.168.66.0: icmp: echo request
13:51:19.210000 scanner.net > 192.168.67.255: icmp: echo request
13:53:09.110000 scanner.net > 192.168.67.0: icmp: echo request
13:53:09.940000 scanner.net > 192.168.68.255: icmp: echo request
13:53:10.110000 scanner.net > 192.168.68.0: icmp: echo request
13:53:10.960000 scanner.net > 192.168.69.255: icmp: echo request
13:53:10.980000 scanner.net > 192.168.69.0: icmp: echo request
Moving to slide “Efficient mapper”, we see a more succinct way to attempt mapping a network.
Since ICMP can send a message to multiple hosts, we can attempt to send an ICMP echo request to a
broadcast address, and if the activity is allowed, all active hosts within the particular broadcast subnet
may potentially reply.
You see that in the above scan, it appears that the scanner is attempting to map the 192.168 subnet. We
see the third octet in the IP number changing from 65 to 69 in this excerpt from a larger scan. We see
the final octet fluctuate between 0 and 255. The 255 in the final octet is the classic broadcast address.

The 0 in the final octet is a broadcast address for hosts that have a TCP/IP stack based on the Unix BSD
operating system. Hosts with this type of TCP/IP stack may respond to the ICMP echo request directed
to the 0 broadcast address.
Some of the later versions of Windows will not respond to a broadcast ICMP echo request.
As you can see, for a network defending against this type of activity, it is wise to disallow any activity,
regardless if it is ICMP or, to the broadcast addresses.
5 - 15
IP Behavior III – SANS GIAC LevelTwo
- ©2000, 2001
15
Clever mapper
06:34:31.150000 scanner.net > 192.168.21.0: icmp: echo request
06:34:31.150000 scanner.net > 192.168.21.63: icmp: echo request
06:34:31.150000 scanner.net > 192.168.21.64: icmp: echo request
06:34:31.150000 scanner.net > 192.168.21.127: icmp: echo request
06:34:31.160000 scanner.net > 192.168.21.128: icmp: echo request
06:34:31.160000 scanner.net > 192.168.21.191: icmp: echo request
06:34:31.160000 scanner.net > 192.168.21.192: icmp: echo request
06:34:31.160000 scanner.net > 192.168.21.255: icmp: echo request
Now, if you turn to the next slide “Clever mapper”, we see a new variation on an old mapping scheme.
Look at the scanning pattern; what you see is that echo requests are being sent to the class C subnet of
192.168.21. Now, examine the final octet of the IP address. We see the first request is sent to the 0
broadcast address and the last one is sent to the 255 broadcast address.
If you look at the final octet of the other IP numbers, you’ll see that they seem to span 64 IP numbers.
For instance, the first IP number has a final octet of 0 and the following one has a final octet of 63, so
that is 64 total IP addresses. What is the significance of the 64? Well, a typical class C subnet has 256
addresses between the 0 and 255 host numbers.
It is possible to subdivide a class C network so that you have multiple smaller networks. One way to do
this would be to have 4 individually addressable subnets with 64 hosts each. In this scheme, the network
and broadcast addresses change accordingly. The network and broadcast addresses for those 4 subnets

are the IP numbers that you see in the scan. So, it turns out that someone believes that we may have a
different addressing scheme and is attempting to scan accordingly. If this were the addressing scheme
for the 192.168.21 subnet, all live hosts might respond.
5 - 16
IP Behavior III – SANS GIAC LevelTwo
- ©2000, 2001
16
Cerebral mapper
20:39:38.120000 scanner.edu > router.com: icmp: address mask request
(DF)
20:39:39.090000 scanner.edu > router.com: icmp: address mask request
(DF)
20:39:40.090000 scanner.edu > router.com: icmp: address mask request
(DF)
23:00:05.480000 scanner.edu > router2.com: icmp: address mask request
(DF)
23:00:06.430000 scanner.edu > router2.com: icmp: address mask request
(DF)
23:00:07.450000 scanner.edu > router2.com: icmp: address mask request
(DF)
Our final mapping example shown on slide “Cerebral mapper” shows a different mapping
technique using another ICMP request type. The ICMP address mask request queries a host for the
subnet mask of the network on which it resides. So, remember all the trouble that the previous
scanner went through to try to determine the addressing scheme? Well, that could have been
avoided using the ICMP address mask request seen here.
This is not a classic mapping per se, however it may provide some initial reconnaissance. If a
scanner can determine a subnet mask of a network, he then knows exactly how many hosts need to
be scanned. While the subnet mask of an IP can usually be determined from looking at the first octet
of the IP number, this request may determine the subnet mask for networks that have been
subdivided. That type of knowledge cannot be obtained by looking at the IP number. This is

another service that should be disallowed into the network for obvious reasons.
This ICMP request may not elicit a response from all hosts. Routers should respond, some modem
servers will, and some Solaris hosts will also respond.
5 - 17
IP Behavior III – SANS GIAC LevelTwo
- ©2000, 2001
17
Mapping review
• Used for initial reconnaissance
• ICMP echo requests to:
– Individual hosts
– Multiple hosts via classic broadcast addresses
– Multiple hosts via subdivided broadcast addresses
• ICMP address mask request to discover subnet mask
We conclude this section with the “Mapping review”. We examined different mapping techniques
in this section that are mostly used for beginning reconnaissance efforts.
The different mapping techniques all used ICMP to attempt to find live hosts or discover addressing
schemes. The ICMP echo request can be used to look for individual live hosts; or it can be sent to a
broadcast address to look for all live hosts on a subnet. We saw another ICMP request, the address
mask request, that can attempt to learn the subnet mask for a given network.
5 - 18
IP Behavior III – SANS GIAC LevelTwo
- ©2000, 2001
18
Normal ICMP
• Requests/replies:
– Timestamp request/reply
• Error messages:
– Host unreachable
– Port unreachable

– Admin prohibited
–Redirect
– Fragmentation required, DF flag set
– Time exceeded
– Reassembly time exceeded
In section “Normal ICMP”, we’ll examine some of the expected uses of ICMP. We’ll first examine
another ICMP request, the timestamp request. Then we’ll look at several different error messages that
ICMP sends to inform a sending host of some kind of problem situation.
5 - 19
IP Behavior III – SANS GIAC LevelTwo
- ©2000, 2001
19
Timestamp request/reply
00:00:33.060000 sending.host> target.host: icmp: time stamp
request [tos 0x10]
00:00:33.150000 target.host > sending.host: icmp: time stamp
reply [tos 0x10]
The next slide “Timestamp request/reply” displays another ICMP request. This one is a request by
one host to another host to return its current time of day. This may be used if two communicating
hosts need to have their clocks synchronized. There are additional ways to do time synchronization
such as using the network time protocol (ntp) where hosts synchronize their clocks with that of a ntp
server that has a very accurate clock.
The sending ICMP time request includes the senders timestamp, and it is returned with the time that
the destination host received the request, and a third field contains the time that the destination host
returned the request. Using these three fields, hosts can compute the round-trip time, however this is
not considered to be a very accurate measurement due to unexpected and immeasurable network
latency.
5 - 20
IP Behavior III – SANS GIAC LevelTwo
- ©2000, 2001

20
Host unreachable
router > sending.host: icmp: host target.host unreachable
traffic for target host
target host unreachable
router
target host
sending
host
We now turn to slide “Host unreachable”. In this scenario, we observe a sending host attempting to
send traffic to a target host. For some reason the host is unreachable, perhaps no host resides at the
requested IP address, perhaps it is temporarily unavailable, or perhaps it is suffering from some kind
of misconfiguration that prevents it from responding.
In a situation such as this, the host obviously cannot send an error message so the router that oversees
the target host’s network intervenes to deliver the message. In this case, it informs the sending host
that the target host is unreachable. As you can probably guess, this may give a scanner valuable
information that he can use to help him map the network. It is possible that the host truly doesn’t
exist, but it is also possible that the host is temporarily turned off or out of commission. The valuable
reconnaissance information that can be gleaned from many of the ICMP unreachable commands can
be detrimental to the security of a given network. Cisco router access control lists have a statement
that can silence the router from issuing the ICMP unreachable messages “no ip unreachables”.
5 - 21
IP Behavior III – SANS GIAC LevelTwo
- ©2000, 2001
21
Port unreachable
target.host > sending.host: icmp: target.host udp port
ntp unreachable (DF)
connect to target host udp port ntp
not listening on port ntp

target host
ntp
sending
host
Next, look at the slide “Port unreachable” to examine how a target host informs a sending host that a
requested UDP port is not listening. In this case, the sending host attempted to send traffic to the
target host on UDP ntp which is port 123.
So, the protocol used to deliver the error message is ICMP. Remember, when we examined TCP, it
had a different way of informing a sending host that a port was not active. It returned a TCP segment
with the RESET/ACK flags set to indicate that the port was not listening. UDP has no built-in
mechanism to report about this error and so enlists ICMP to assist.
5 - 22
IP Behavior III – SANS GIAC LevelTwo
- ©2000, 2001
22
Admin prohibited
router > sending.host: icmp: host
target.host unreachable - admin prohibited
target host
router
send traffic to target host
access denied
sending
host
We look at another possible problem situation in slide “Admin prohibited”. In this scenario, we have
a sending host that attempts to send traffic to a target host. We have a router at the gateway of the
target host network.
The router has an access control list that prohibits certain types of traffic from entering the network.
This could be a port that is blocked, a protocol that is blocked, or possibly the source IP or subnet that
is denied access. A router may respond to this condition with an ICMP unreachable - admin

prohibited message.
In the diagram above, we see that the sending host is denied access to the target host. We don’t see
any feedback about the reason for the denial in the ICMP message that is displayed. However,
embedded in some ICMP messages such as this, there will be the original IP header and at least 8
bytes of the protocol that generated this response.
5 - 23
IP Behavior III – SANS GIAC LevelTwo
- ©2000, 2001
23
Redirect
non-optimum
router
misguided
sending host
target host
optimum router
send datagram to target host
use optimum router next time
datagram delivered to target host
non-optimum.router > sending.host : icmp: redirect
target.host to net
optimum.router
The ICMP “Redirect” message discussed on the next slide allows a router to tell a sending host that
it is not the optimum router to be used for sending the traffic to the desired destination. The non-
optimum router forwards the traffic to the destination, but informs the sending host to change its
routing table so that a more optimum router is chosen the next time traffic is sent to the same
destination host.
In the case of the above slide, we have a misguided sending host attempting to send traffic to the
target host. It routes the traffic through the non-optimum router that forwards the traffic. However,
it issues an ICMP redirect to the misguided sending host to use the optimum router the next time.

The optimum router has to be on the same subnet as the sending host. Also, the router that sends the
redirect must be on the same subnet as the original sender.
5 - 24
IP Behavior III – SANS GIAC LevelTwo
- ©2000, 2001
24
Fragmentation required, DF flag set
sending
host
router
target host
send datagram to target host,
DF flag set
FDDI, MTU = 4352
Ethernet, MTU = 1500
fragmentation required, DF flag set
router > sending.host: icmp: target.host unreachable - need
to frag (mtu 1500)
Moving to slide “Fragmentation required, DF flag set”, we discuss another ICMP message. You
may remember seeing or discussing the DF designation from tcpdump in other IP behavior webcasts.
This means the don’t fragment flag is set. As the name implies, if this flag is set, fragmentation will
not be done on the datagram. If this flag is set and the datagram crosses a network where
fragmentation is required, the router will discover this, discard the datagram and send an ICMP error
message back to the sending host.
The ICMP error message will contain the MTU of the network that required fragmentation. Some
hosts intentionally send an initial datagram across the network with the DF flag set as a way to
discover the MTU for a particular source to destination path. If the ICMP error message is returned
with the smallest MTU, the host will then package all datagrams bound for that destination in small
enough chunks to avoid fragmentation.
5 - 25

IP Behavior III – SANS GIAC LevelTwo
- ©2000, 2001
25
Time exceeded in-transit
routerx > sending host: icmp: time exceeded in-transit [tos 0xc0]
router 1
ttl 6
router 2
ttl 5
router 3
ttl 4
router 4
ttl 3
router 5
ttl 2
router 6
ttl 1
routerx
ttl 0
sending
host
too many hops taken
Let’s look at the “Time exceeded” ICMP message on the next slide. TCP/IP needs a way to flush
from the Internet a lost datagram, perhaps one that is in some kind of routing loop where it is bouncing
aimlessly among routers. The means used to prevent wayward datagram activity involves a field in
the IP header know as the time to live (ttl) value. So it's not really a time at all - it is a count of "hops
to live" before being discarded.
Different operating systems set different initial ttl values. When a datagram traverses a router on its
travel from the source to destination, each router will decrement the ttl value by 1. If the value ever
becomes 0, the router will discard the datagram and send an ICMP time exceeded in-transit message

back to the sending host.