ICMP notifications allow administrators to debug networks using programs like Ping and Tracert. But they can also be used maliciously in a distributed denial-of-service attack.
The primary use of ICMP is error reporting when two devices connect via the Internet, and some data doesn’t arrive as expected. For example, extremely large packets may be too big for routers to handle, so they discard them and send an ICMP message informing the source device of this error.
Time-To-Live Exceeded
The time-to-live field in an IP datagram is a counter that increases each time the packet travels through a router or device. The datagram is discarded when the counter reaches zero, and a Time Exceeded message is sent to the originator. These messages can also be sent when the reassembling host receives too many fragments or does not receive all the necessary segments within its allocated time to assemble the original datagram.
Each ICMP error message contains a 32-bit pointer that identifies the specific error in the original IP datagram. This information is used by the devices receiving the ICMP messages to identify and correct the problem. The ICMP header also includes the Message Type and Code, briefly describing the error.
ICMP is used to check network availability and gauge device round-trip times (RTT) using the ping and traceroute commands. But hackers have also discovered ways how is ICMP used and take advantage of ICMP transmissions.. For example, a port scanning program can send ICMP echo request messages with increasing TTL values to enumerate live processes and ports on a computer or networked device.
Since ICMP errors are not sent as regular traffic, they are not prioritized and may be dropped by some devices. To prevent these errors from being abused, administrators must ensure that their networks are properly configured to handle ICMP messages and that any apparatus that cannot process them does not have them blocked.
Unreachable
When most people think of the Internet Control Message Protocol (ICMP), two network utilities come to mind: Ping and Traceroute. These network tools use ICMP echo-request and echo-reply messages with a TTL variable to determine the latency between the source and destination devices and help troubleshoot issues such as packet loss.
But these aren’t the only reasons to monitor ICMP traffic. Network devices also use ICMP to send error and query messages, which provide important information about the status of the network.
The ICMP header is like a package label that identifies the contents. It contains the ICMP type, code and checksum. The type provides a brief explanation of the purpose of the message so that the receiving network device knows what to do with it. The code identifies the error in the original IP datagram that caused the ICMP problem message. The checksum verifies the integrity of the transmission.
ICMP query messages are sent when a host detects a network device malfunctioning on one of its connected paths. For example, a router might impose a rate limit on how many ICMP Echo Requests it will process per second as a self-protective measure against denial-of-service attacks. If a ping packet exceeds that limit, the router will send an ICMP Path MTU Discovery (PMTUD) message to inform the source system that it cannot accept the ICMP packet because of its size.
Redirect
ICMP isn’t a transport layer protocol like User Datagram Protocol (UDP) or Transmission Control Protocol (TCP). Still, it does play an important role in network devices by providing error reports and other management information. ICMP supports different messages, including Redirect messages that tell network devices of an optimal route to a destination host. This reduces the number of network devices data must travel through to reach its final destination, improving overall network performance. ICMP also plays a critical role in preventing DDoS attacks by reporting errors that attackers can exploit to cause a network device to consume resources and degrade the network’s overall performance. Attacks such as the Smurf attack and ping of death use ICMP packets to overload network devices with unnecessary traffic.
Using a network analyzer to monitor the frequency and duration of ICMP messages indicates how well your network is operating. For example, if a host repeatedly pings a target server or device and doesn’t receive an ICMP echo reply within a certain timeframe, it indicates a problem.
The command-line utility ping uses the ICMP echo request and echo reply messages to test network connectivity between devices. Similarly, ICMP traceroute uses these messages to determine the path between two systems. In addition to the destination IP address, ICMP message type codes and path MTU discovery (PMTUD) provide useful information.
Query
Network devices send query messages to each other when a problem cannot be resolved with existing datagram protocols. These are messages like the ICMP Redirect message (type 5). This type of ICMP message indicates that a router has a better route to reach a destination device or network, and it updates the host’s routing table to use the new route.
Query messages are also useful for troubleshooting issues like round-trip time between devices. The ICMP Echo Request and Echo Reply messages, which we use with the ping utility to test for connectivity, provide important diagnostic information, such as the round-trip time of a packet’s journey between two devices.
The ICMP Checksum message (type 4) alerts the source device to missing data in the ICMP header of an existing datagram. This enables the source device to calculate a new data checksum and compare the result with the original one to determine whether there were any changes in the transmitted data.
Some network administrators also use ICMP for testing and diagnostics by sending and receiving ICMP Traceroute requests. It’s important to remember that ICMP is not a transport protocol, so these messages don’t require the TCP handshake of normal IP traffic, and they can be sent over any available communication path. Because of this, ICMP can be vulnerable to attacks such as the ping sweep and ping flood, which consume incoming and outgoing bandwidth and can utilize CPU resources.
