ICMP is one of the most critical systems that make the Internet work. This protocol stationed at the Internet Layer assists network devices and can be used to test connectivity and performance.
It is also a communication medium in the widely used terminal utilities ping and traceroute. Understanding ICMP can help you prevent DDoS attacks and enhance your cybersecurity skills.
What is ICMP?
ICMP stands for Internet Control Message Protocol, a support protocol that aids Layer 3 (IP). Routers use it to perform network diagnostics and report error conditions, such as routing loops, undeliverable packets, destination unreachable hosts, and more.
It also provides feedback and discovery mechanisms. For example, sending an IP packet that exceeds the router’s maximum payload size will generate an ICMP error message. You can then send a new package with the length reduced to match the router’s MTU. ICMP will detect the shorter box and report the correct size to the source device.
Aside from error reporting, ICMP supports network management functions like query messaging, timestamp requests, and replies. ICMP is connectionless and doesn’t use port numbers (part of the Transport Layer) to communicate with devices. Instead, it uses a header after the IP datagram details to identify the ICMP information.
In addition, the ICMP protocol is a crucial network tool that helps maintain networks and improve security. However, it’s essential to understand how ICMP works before using it because attackers can manipulate it to carry out Distributed Denial of Service attacks (DDoS). To prevent this, you need to understand how ICMP messages are structured. Each ICMP message contains an 8-bit type and code field that describes the kind of message.
As ICMP operates at the network layer, it works without ports (part of the transport layer). ICMP uses a unique combination of message types and codes to describe errors, status, and other conditions. Each ICMP packet includes a header that provides essential information on the package, such as its source and destination IP addresses, the data length, and a checksum value.
The next section of the header identifies the type of ICMP message. This allows network devices to quickly determine the type of error or status condition. The message code, assigned by the Internet Assigned Numbers Authority (IANA), further describes the problem.
While ICMP can be used to test connectivity and the speed of data relay between two networked devices, it’s more commonly used by network administrators to monitor and troubleshoot their networks. For example, the popular command-line utility ping relies on ICMP echo-request and echo-reply messages to determine whether other hosts are alive. It also uses ICMP traceroute, which displays the path data travels between two routers (called ‘hops’) and reports how much time passes between each hop.
Many network device manufacturers turn off ICMP because attackers can misuse it in distributed denial-of-service attacks. To prevent this, network administrators should ensure that stateful firewalls and intrusion detection systems are correctly configured to block ICMP abuse.
When network devices send data across the internet, the data will travel through multiple routers and intermediary devices. These devices may fail to forward or deliver the data correctly. ICMP will generate and send error messages to the source device in these cases.
ICMP uses different message types and codes to communicate errors to the source device. For example, if the destination host device is unreachable, ICMP will send a message with code 3. Similarly, if the time exceeds the parameter, ICMP will send a message using code 4.
The first 8 bits in an ICMP packet format are called the category, while the second 8-bit value is called the code. The category identifies the type of error message, while the code gives more details about that specific error message.
In addition to detecting errors, ICMP also supports the ability to perform network diagnostics. Standard terminal utilities like ping and traceroute use ICMP to display the data routing path from one network device to another.
ICMP is mighty because it can be used to monitor network performance. Still, this functionality has also become a target for malicious actors looking to launch denial-of-service attacks against your business. To prevent these attacks, it’s essential to understand the basics of ICMP and how it works.
When most people think of ICMP, they think of two network utilities — Ping and Traceroute. Both utilities rely on ICMP echo-request and echo-reply messages to determine device availability and latency.
ICMP also provides query messages that help resolve diagnostic issues. For example, a device that receives an ICMP Parameter Problem message will be informed that a parameter value does not match the expected value. Similarly, a device that gets a Timestamp Request message will respond with a Timestamp Reply message, giving it the round-trip time between the source and destination devices.
Finally, ICMP provides error messages that inform the source device that it has encountered an issue while transmitting a data packet. This could include a vast payload that exceeds a router’s maximum transmission unit (MTU), or the destination host is unreachable due to network congestion.
ICMP also allows a device to report when experiencing a routing loop, a closed or inaccessible port, a device slowing traffic, and more. However, malicious actors often leverage ICMP to launch denial-of-service attacks. For instance, a ping sweep or flood can enumerate the live hosts on a network. At the same time, an ICMP tunneling attack can allow a compromised device to communicate with attackers and exfiltrate information. ICMP was initially designed to solve errors at the network layer, but it has been manipulated by malicious actors to compromise system performance and sabotage networks.