ICMP (Internet Control Message Protocol) is an error-reporting protocol that network devices such as routers use to generate error messages to the source IP address when network problems prevent delivery of IP packets. ICMP creates and sends messages to the source IP address indicating that a gateway to the internet, such as a router, service or host, cannot be reached for packet delivery. Any IP network device has the capability to send, receive or process ICMP messages.
ICMP is not a transport protocol that sends data between systems.
What is ICMP used for?
ICMP is a network layer protocol used by routers, intermediary devices and hosts to communicate error information or updates to other routers, intermediary devices and hosts.
ICMP messages are sent in several scenarios. For example, if one device sends a message that is too large for the recipient to process, the recipient will drop that message and send an ICMP message back to the source. Another example is when the network gateway finds a shorter route for the message to travel on. When this happens, an ICMP message is sent, and the packet is redirected to the shorter route.
ICMP is also used for network diagnostics, specifically the ping and traceroute terminal utilities.
- Traceroute. The traceroute utility is used to display the physical routing path between two internet devices communicating with each other. It maps out the journey from one router to another -- sometimes called a hop. Using traceroute to diagnose network problems can help administrators locate the source of a network delay.
- Ping. The ping utility is a simpler traceroute. It sends out pings -- also referred to as echo request messages -- and then measures the amount of time it takes the message to reach its destination and return to the source. These replies are called echo reply messages. Pings are useful for gathering latency information about a specific device. Unlike traceroute, though, ping does not provide picture maps of the routing layout. The ping utility is often exploited for certain denial of service (DoS) attacks as well.
How does ICMP work?
ICMP is one of the main protocols of the IP suite. However, ICMP is not associated with any transport layer protocol, such as Transmission Control Protocol (TCP) or User Datagram Protocol (UDP). It is a connectionless protocol, meaning a device does not need to open a connection with the target device before sending a message. This contrasts with TCP, for example, where a connection must be established before a message can be sent, establishing that both devices are ready through a TCP handshake.
ICMP messages are transmitted as datagrams and consist of an IP header that encapsulates the ICMP data. A datagram, much like a packet, is a self-contained independent entity of data. Think of it as a package carrying a piece of a bigger message across the network. ICMP packets are IP packets with ICMP in the IP data portion. ICMP messages also contain the entire IP header from the original message, so the end system knows which packet failed.
The ICMP header appears after the IPv4 or IPv6 packet header and is identified as IP protocol number 1. The protocol contains three parameters, explained below. Following the three parameters are the ICMP data and the original IP header identifying which packet failed.
ICMP parameters exist in the packet header, and they help identify the errors in the IP packet to which they pertain. The parameters are like a shipping label on a package. They provide identifying information about the packet and the data it contains. That way, the protocols and network tools receiving the ICMP message know how to handle the packet.
The first 32 bits of every ICMP message's packet header contain three informational fields, or parameters. Those three parameters are the following:
- Type. The first 8 bits are the message types. Some common message types include the following:
- Type 0 -- Echo reply
- Type 3 -- Destination unreachable
- Type 8 -- Echo
- Type 5 -- Redirect
The type provides a brief explanation of what the message is for so the receiving network device knows why it is getting the message and how to treat it. For example, a Type 8 Echo is a query a host sends to see if a potential destination system is available. Upon receiving an Echo message, the receiving device might send back an Echo Reply (Type 0), indicating it is available.
Internet Assigned Numbers Authority (IANA) provides a list of all message types ICMP packets use.
- Code. The next 8 bits represent the message type code, which provides additional information about the error type.
- Checksum. The last 16 bits provide a message integrity check. The checksum shows the number of bits in the entire message and enables the ICMP tool to check for consistency with the ICMP message header to make sure the full range of data was delivered.
The next part of the ICMP header is the pointer. It consists of 32 bits of data that points out the problem in the original IP message. Specifically, the pointer identifies the byte location in the original IP message that caused the generation of the problem message. The receiving device looks at this part of the header to pinpoint the problem.
The final section of the ICMP packet is the original datagram. It consists of up to 576 bytes in IPv4 and 1,280 bytes in IPv6 and includes a copy of the original error-containing IP message.
ICMP in DDoS attacks
In distributed DoS (DDoS) attacks, attackers overwhelm the target with unwanted traffic so the target cannot provide service to its users. There are multiple ways an attacker can use ICMP to execute these attacks, including the following:
- Ping of death. The attacker sends an IP packet larger than the number of bytes allowed by IP. On the way to its intended destination, the oversized packet is fragmented. However, when the recipient device reassembles it, the size exceeds the limit, causing a buffer overflow and the receiving machine to freeze or crash. Newer devices have defenses against this older-type attack, but legacy networking devices are still vulnerable to it.
- ICMP flood attack. Sometimes called a ping flood attack, the goal of this attack is to overwhelm the target device with echo request packets. Each echo request packet must be processed by the target and responded to with echo reply messages. This sucks up all the target computer's resources, and it causes a denial of service to any other users of the target computer.
- Smurf attack. In a Smurf attack, the attacker sends an ICMP packet with a spoofed source IP address, and the network layer equipment replies to the packet, sending the spoofed address a flood of packets. Like the ping of death, Smurf attacks are more likely to work on undefended legacy equipment.
ICMP-based DDoS attacks have become an increasingly prevalent cyber attack. Find out more about DDoS attacks in general and how they have become more tactically diverse in recent years.