Internet Control Message Protocol (ICMP) is an essential network layer protocol for communication by network devices. It helps detect and report errors, send query messages, and inform hosts of network congestion.
ICMP uses packet messaging in IPv4 and IPv6 networks to provide information about underlying network conditions.ICMP doesn’t actually manage any of the data itself but it informs the sender when data has failed to reach its intended destination or when it is received out of order.
ICMP’s functionality makes communication over networks smoother and more reliable, ensuring that information can be delivered accurately and efficiently.
ICMPv4 and ICMPv6 are two different versions of the protocol; while they share some similarities, they also differ in several ways.
In addition to its primary function of providing communication between network devices, ICMP has also become a target for malicious actors due to its vulnerability to various types of attacks. As a result, it is important to understand how ICMP works and how to properly configure it to ensure the security of your network.
How does ICMP work?
ICMP is a connectionless protocol utilized for network management purposes, as opposed to the Internet Protocol (IP), which requires a transport layer protocol such as TCP or UDP.
ICMP doesn’t include associated processes involving establishing and closing connections (as TCP does), nor does ICMP allow for targeted ports on devices.
In contrast to other protocols’ connection-oriented approach, ICMP sends messages without first requiring any handshake, providing a simpler structure overall for conveying information from one device to another.
ICMP message components
An ICMP message consists of an IP header that encapsulates a variable-sized data section.
ICMP data contains the following fields:
- Type: The 8-bit field identifies the ICMP message type, and its possible values range from 0 to 127 for ICMPv6 messages. Values between 128 to 255 are informative notifications.
- Code: This 8-bit field is a subtype discriminator that determines what kind of ICMP message is being sent.
- Checksum: A 16-bit field to detect whether there is an error in the message or not.
- Pointer: A variable-length field that identifies the problem in the original message. This field is optional.
- Original datagram: Another variable-length field that contains part of the original IP packet that caused an error. This field is also optional.
2 types of ICMP messages
There are two types of categories of ICMP messages: error reporting and queries.
Error reporting messages
Error reporting messages are sent when a node or router encounters an error.
Examples of error reporting messages might include:
- Destination Unreachable: Sent when a device receives an IP packet and determines that the destination is inaccessible.
- Source Quench: Informs sender machines to reduce the rate at which they are sending data, usually due to congestion on the network or a technical limitation such as a router not being able to handle a high data transfer rate.
- Time Exceeded: When a router finds that a packet’s Time-to-Live (TTL) field has reached zero, it sends this message to the packet’s sender.
- Parameter Problem: Sent when an invalid IP header or packet length is detected by a router.
- Redirection: Sent when there is a better route for the packet’s sender to reach its destination.
These messages are sent to query specific information from the destination device.
Query messages include:
- Echo Request/Reply: Used to check whether a device is active on the network or not by sending an Echo Request message and waiting for an Echo Reply message from the destination.
- Timestamp Request/Reply: Uses two timestamp fields, one sent in the request and one in the reply.
- Address Mask Request/Reply: Allows devices to query for the subnet mask of the destination device.
How to use ICMP
There are three ways ICMP is used in networking: for reporting errors, as a diagnostic tool, or to compromise network performance via a denial-of-service (DoS) attack.
ICMP is known primarily for its role in reporting errors. ICMP is used between two devices connected through the internet to detect and report when data transfer has been unsuccessful due to whatever reason.
For example, ICMP may be triggered by a router discarding a data packet that is too large for it to manage. In these cases, an ICMP message with information about the issue will be transmitted to the sender by the router. The sending device then has an opportunity to fix the problem or resend the data, ensuring effective communication over internet connections.
As a diagnostic tool
ICMP can be used as a diagnostic tool to check the availability, route, and health of a system in a network using ICMP and Simple Network Management Protocol (SNMP).
One of the most common ICMP diagnostic tools is ping, which transmits a request for an ICMP echo to a network device and expects an ICMP echo reply. Ping can also be used to check for packet loss and delay within a network.
Another ICMP diagnostic tool is traceroute, which uses ICMP messages to trace the path of packets from one host to another.
Compromising network performance
Criminals can use ICMP to compromise network performance by carrying out a denial-of-service (DoS) attack.
DoS attacks are carried out by flooding systems with ICMP requests. Too many ICMP messages can significantly slow down or stop the functioning of a computer or network, thus exhausting the resources of the target system.
ICMP can also be used in a Smurf attack or ping of death attack, as discussed in the “ICMP security threats” section below.
ICMP in IPv4 and IPv6
As you might expect, ICMP works differently in IPv4 and IPv6 in a variety of ways. ICMP in IPv6 is of course a more robust and dynamic protocol, allowing a much greater number of tasks, broader checksum reporting, and message type differentiation.
Internet Control Message Protocol version 6 (ICMPv6) has a more well-rounded function in IPv6 than ICMPv4 does in IPv4. In IPv6, ICMPv6 plays an integral part in router advertisement, path MTU discovery, and multicast group management—tasks ICMPv4 does not cover.
The message formats differ between ICMPv4 and ICMPv6. Specifically, when calculating the checksums for each version of ICMP, the result will differ based upon what they cover.
While in ICMPv4 only the message itself is covered by the checksum calculation, in ICMPv6 both the message itself as well as a pseudo-header (which includes some fields from the IPv6 header) are included in this calculation.
ICMPv6 messages use a high-order bit type field to differentiate between errors and informational messages, whereas ICMPv4 does not. Certain message codes are also exclusive to either ICMPv4 or ICMPv6.
Next Header field values
ICMPv6 has a distinct Next Header field value when compared to ICMPv4, which uses a Protocol field value of 1. In IPv6, ICMPv6 messages may start after one or more extension headers; the last extension header includes a Next Header field of 58 to indicate an ICMPv6 message.
Additionally, ICMPv6 messages can be carried in other protocols, whereas ICMPv4 cannot.
ICMP security threats
Like any networking protocol, ICMP is vulnerable to several security threats, including tunneling, router discovery, Smurf and Fraggle attacks, and ping of death attacks.
ICMP tunneling is a technique of encapsulating other protocols or data within ICMP packets to bypass firewalls or evade detection.
ICMP router discovery
ICMP router discovery is a type of ICMP message that allows hosts to discover routers on their network. While typically benign, it can also be used by attackers to spoof router advertisements and redirect traffic to malicious destinations.
Smurf attacks are a type of DoS attack that involves sending a large number of ICMP echo requests with a spoofed source address to a network broadcast address. The result is that all the hosts on the network reply with ICMP echo replies to the spoofed address, overwhelming the victim’s bandwidth and resources.
Fraggle attacks are similar to Smurf attacks, but they use UDP packets instead of ICMP packets. The attacker sends UDP packets with a spoofed source address to a network broadcast address on port 7 (echo) or port 19 (chargen). The result is that all the hosts on the network reply with UDP packets to the spoofed address, flooding the victim’s network.
ICMP flood attack
ICMP flood is a type of DoS attack that involves sending a large number of ICMP packets (such as Echo Requests or Destination Unreachable messages) to a target host. The goal is to consume the target’s CPU cycles and memory, preventing it from processing legitimate traffic.
Ping of death attack
Ping of death is an old type of attack exploiting a vulnerability in some systems that cannot handle ICMP packets larger than 65,536 bytes. The attacker sends an oversized ICMP packet (usually an Echo Request) to crash or reboot the target system.
Information gathering is a technique of using ICMP messages (such as Echo Requests, Timestamp Requests, Address Mask Requests, or traceroute) to probe a target network for its topology, configuration, operating system, or vulnerabilities.
Bottom line: Using and securing ICMP
ICMP is an essential part of the Internet Protocol Suite, playing a critical role in IP communication. It’s used to exchange control and error messages between network devices such as routers, hosts, and gateways.
Like all network protocols, ICMP has its share of vulnerabilities, and it’s important to understand them so that you can protect your network and your organization against attacks.
Understanding these concepts will help you stay one step ahead of attackers and keep your network safe from potential threats.
Here are the best enterprise network security companies to trust with keeping your organization’s data secure.