Networking.com

ICMP (Internet Control Message Protocol)

By Ben Lutkevich

ICMP (Internet Control Message Protocol) is an error-reporting protocol that network devices such as routers use to generate error messages to the source IP address when network problems prevent delivery of IP packets. ICMP creates and sends messages to the source IP address indicating that a gateway to the internet, such as a router, service or host, cannot be reached for packet delivery. Any IP network device has the capability to send, receive or process ICMP messages.

ICMP is not a transport protocol that sends data between systems.

While ICMP is not used regularly in end-user applications, it is used by network administrators to troubleshoot internet connections in diagnostic utilities including ping and traceroute.

What is ICMP used for?

ICMP is a network layer protocol used by routers, intermediary devices and hosts to communicate error information or updates to other routers, intermediary devices and hosts.

ICMP messages are sent in several scenarios. For example, if one device sends a message that is too large for the recipient to process, the recipient will drop that message and send an ICMP message back to the source. Another example is when the network gateway finds a shorter route for the message to travel on. When this happens, an ICMP message is sent, and the packet is redirected to the shorter route.

ICMP is also used for network diagnostics, specifically the ping and traceroute terminal utilities.

The widely used Internet Protocol version 4, or IPv4 address class, and the newer IPv6 use similar versions of the ICMP protocol -- ICMPv4 and ICMPv6, respectively.

How does ICMP work?

ICMP is one of the main protocols of the IP suite. However, ICMP is not associated with any transport layer protocol, such as Transmission Control Protocol (TCP) or User Datagram Protocol (UDP). It is a connectionless protocol, meaning a device does not need to open a connection with the target device before sending a message. This contrasts with TCP, for example, where a connection must be established before a message can be sent, establishing that both devices are ready through a TCP handshake.

ICMP messages are transmitted as datagrams and consist of an IP header that encapsulates the ICMP data. A datagram, much like a packet, is a self-contained independent entity of data. Think of it as a package carrying a piece of a bigger message across the network. ICMP packets are IP packets with ICMP in the IP data portion. ICMP messages also contain the entire IP header from the original message, so the end system knows which packet failed.

The ICMP header appears after the IPv4 or IPv6 packet header and is identified as IP protocol number 1. The protocol contains three parameters, explained below. Following the three parameters are the ICMP data and the original IP header identifying which packet failed.

ICMP parameters

ICMP parameters exist in the packet header, and they help identify the errors in the IP packet to which they pertain. The parameters are like a shipping label on a package. They provide identifying information about the packet and the data it contains. That way, the protocols and network tools receiving the ICMP message know how to handle the packet.

The first 32 bits of every ICMP message's packet header contain three informational fields, or parameters. Those three parameters are the following:

  1. Type. The first 8 bits are the message types. Some common message types include the following:
      1. Type 0 -- Echo reply
      2. Type 3 -- Destination unreachable
      3. Type 8 -- Echo
      4. Type 5 -- Redirect

    The type provides a brief explanation of what the message is for so the receiving network device knows why it is getting the message and how to treat it. For example, a Type 8 Echo is a query a host sends to see if a potential destination system is available. Upon receiving an Echo message, the receiving device might send back an Echo Reply (Type 0), indicating it is available.

    Internet Assigned Numbers Authority (IANA) provides a list of all message types ICMP packets use.

  2. Code. The next 8 bits represent the message type code, which provides additional information about the error type.
  3. Checksum. The last 16 bits provide a message integrity check. The checksum shows the number of bits in the entire message and enables the ICMP tool to check for consistency with the ICMP message header to make sure the full range of data was delivered.

The next part of the ICMP header is the pointer. It consists of 32 bits of data that points out the problem in the original IP message. Specifically, the pointer identifies the byte location in the original IP message that caused the generation of the problem message. The receiving device looks at this part of the header to pinpoint the problem.

The final section of the ICMP packet is the original datagram. It consists of up to 576 bytes in IPv4 and 1,280 bytes in IPv6 and includes a copy of the original error-containing IP message.

ICMP in DDoS attacks

In distributed DoS (DDoS) attacks, attackers overwhelm the target with unwanted traffic so the target cannot provide service to its users. There are multiple ways an attacker can use ICMP to execute these attacks, including the following:

ICMP-based DDoS attacks have become an increasingly prevalent cyber attack. Find out more about DDoS attacks in general and how they have become more tactically diverse in recent years.

11 Mar 2021

All Rights Reserved, Copyright 2000 - 2024, TechTarget | Read our Privacy Statement