ICMP can be used in various network management and diagnostic utilities, such as ping and traceroute. It also serves as an error reporting protocol when sending devices experience issues.
The most common use of ICMP is its ability to help troubleshoot connectivity issues between network devices. However, attackers can manipulate ICMP functionality to launch attacks like DDoS.
What is ICMP?
ICMP is the Internet Control Message Protocol, which network devices like routers use to generate error messages when problems prevent them from delivering IP packets. It doesn’t have its level within the Open Systems Interconnection (OSI) model, but it works at the network layer to communicate errors to other devices that can fix them. ICMP also powers diagnostic tools such as ping and traceroute.
The ICMP protocol sends data from one device to another as an IP datagram. The datagram contains an ICMP header after the IPv4 or IPv6 packet header. The ICMP header contains a type (8-bit) and code fields that identify the specific ICMP notification.
ICMP is a connectionless protocol, unlike TCP, which requires that two devices establish a connection before sending any data. As such, it can relay error information without requiring the two devices to first connect through a TCP handshake.
The ICMP protocol is used for many purposes, but its most common use case is error reporting. For example, if a router receives data packets too large to manage, it will discard them and send an ICMP message back to the sending device to inform them of the problem. It allows the sender to correct the problem and resend the data.
ICMP Types
ICMP is part of the Internet Protocol (IP) and sits at the network layer. As such, ICMP messages are not encrypted. The ICMP header contains two crucial fields: type and code. The type field identifies the message type, and the code field reports an error code.
Essentially, ICMP lets network devices communicate errors and other helpful information with each other. For example, if a packet of data is too large for a router to manage, the router will discard it and send an ICMP message back to the source to let them know the data did not arrive as expected.
Network administrators can use ICMP for various purposes, including security, network diagnostics and troubleshooting, and network quality analysis. For instance, a commonly used terminal utility called traceroute uses ICMP to display the path of an IP data packet from its source to its destination.
The most common ICMP message is the Time Exceeded error, which tells the receiver that the data in the IP packet has exceeded its maximum allowed size. It may occur if the packet is too big to fit in the receiver’s buffer or the destination device does not receive all of the packet’s fragments.
Malicious actors also use ICMP functionality to carry out attacks such as Distributed Denial-of-Service attacks (DDoS). However, there are several ways to protect against these types of threats. For example, IDS/IPS systems can detect and block ICMP traffic that matches known attack signatures. Another way to defend against these attacks is by segmenting networks into smaller subnets and limiting the amount of data that flows through them.
ICMP Codes
ICMP includes many different types of error messages. A type and a code categorize each of these. The type tells the network device what kind of error message it is, and the code breaks down what kind of problem occurred.
For example, a network device might send an ICMP destination unreachable message. It can happen for various reasons, including the destination host device being down, an intermediate router not being able to forward the packet, or a firewall blocking the connection. The ICMP message also contains a pointer and a copy of the original IP packet that contained the error.
The pointer is a 16-bit value pointing to the original message’s problem. The original datagram field is a variable-length value of up to 576 bytes in IPv4 and 1,280 bytes in IPv6 and includes part of the original message that caused the error.
ICMP can also be used to detect problems in the network, like congestion. When a network device begins buffering too many packets, it can generate ICMP Source Quench messages sent to the sender, asking for the rate of packet transmission to be slowed. ICMP can also be used to perform diagnostics on the network, such as sending ping messages and monitoring round-trip times. However, some network devices can be exploited by hackers to carry out denial-of-service attacks. For example, a typical attack involves an attacker sending many ping requests to a target network device to cause the machine to overload its processor and crash or freeze.
ICMP Content
ICMP is an independent protocol that works at the network layer. It allows devices to report errors to each other and help upper-layer protocols determine whether data packets are reaching their destination.
The first field of an ICMP message contains a checksum, which protects against corruption or accidental data additions to the message. Next comes the ICMP header, which consists of up to 576 bytes in IPv4 and 1,280 bytes in IPv6. The final section of an ICMP message contains the actual error-containing data.
For example, a network device might receive an ICMP message reporting that the size of a data packet is larger than the amount of memory available to process it. In such a case, the device might discard the packet and send an ICMP message to the sender with the original error message and a description of what happened (e.g., the packet was discarded by a router).
Because ICMP works at the network layer, it can be used for various management and diagnosis tasks, such as network device pinging. Some of the most commonly used network tools, such as traceroute and ping, rely on ICMP. However, because ICMP is so often utilized in attacks like DDoS, monitoring your network adequately for ping sweeps and other DDoS attacks is essential.
