ICMP is not a transport protocol that sends data between systems.
While ICMP is not used regularly in end-user applications, it is used by network administrators to troubleshoot internet connections in diagnostic utilities including ping and traceroute.
What is ICMP used for?
ICMP is a network layer protocol used by routers, intermediary devices and hosts to communicate error information or updates to other routers, intermediary devices and hosts.
ICMP messages are sent under a variety of circumstances. For instance, if a message is sent from one device to another that the recipient cannot handle, the recipient will drop the message and return an ICMP message to the source. Another example is when a network gateway determines a quicker path for the message to take. This results in the packet being diverted to the shorter path and an ICMP message being sent.
ICMP is also used for network diagnostics, specifically the ping and traceroute terminal utilities.
- Traceroute. The traceroute utility is used to display the physical routing path between two internet devices communicating with each other. It maps out the journey from one router to another — sometimes called a hop. Using traceroute to diagnose network problems can help administrators locate the source of a network delay.
- Ping. The ping utility is a simpler traceroute. It sends out pings — also referred to as echo request messages — and then measures the amount of time it takes the message to reach its destination and return to the source. These replies are called echo reply messages. Pings are useful for gathering latency information about a specific device. Unlike traceroute, though, ping does not provide picture maps of the routing layout. The ping utility is often exploited for certain denial of service (DoS) attacks as well.
The widely used Internet Protocol version 4, or IPv4 address class, and the newer IPv6 use similar versions of the ICMP protocol — ICMPv4 and ICMPv6, respectively.
How does ICMP work?
ICMP is one of the main protocols of the IP suite. However, ICMP is not associated with any transport layer protocol, such as Transmission Control Protocol (TCP) or User Datagram Protocol (UDP). It is a connectionless protocol, meaning a device does not need to open a connection with the target device before sending a message. This contrasts with TCP, for example, where a connection must be established before a message can be sent, establishing that both devices are ready through a TCP handshake.
The IP header that contains the ICMP data is included in ICMP messages, which are sent as datagrams. A datagram is a self-contained, autonomous data object, much like a packet. Consider it as a packet that sends a portion of a larger message across the internet. IP packets including ICMP in the IP data section are known as ICMP packets. In order for the end system to determine which packet failed, ICMP messages additionally include the whole IP header from the original message.
The ICMP header appears after the IPv4 or IPv6 packet header and is identified as IP protocol number 1. The protocol contains three parameters, explained below. Following the three parameters are the ICMP data and the original IP header identifying which packet failed.
The packet header contains ICMP parameters, which aid in locating the relevant IP packet faults. The specifications resemble a package’s shipping label. They offer identifying details regarding the packet and the data it holds. By doing this, the protocols and network tools that are receiving the ICMP message will understand how to handle the packet.
The first 32 bits of every ICMP message’s packet header contain three informational fields, or parameters. Those three parameters are the following:
- Type. The first 8 bits are the message types. Some common message types include the following:
- Type 0 — Echo reply
- Type 3 — Destination unreachable
- Type 8 — Echo
- Type 5 — Redirect
The type gives a brief description of the message’s purpose so that the network device receiving it understands why it is receiving it and how to handle it. A Type 8 Echo, for instance, is a host’s request to determine whether a potential destination system is accessible. The receiving device may reply with an Echo Reply (Type 0), letting the sender know it is ready, after receiving an Echo message.
- Code. The next 8 bits represent the message type code, which provides additional information about the error type.
- Checksum. The last 16 bits provide a message integrity check. The checksum shows the number of bits in the entire message and enables the ICMP tool to check for consistency with the ICMP message header to make sure the full range of data was delivered.
The pointer comes next in the ICMP header. Its 32 bits of data highlight the issue with the original IP packet. The pointer specifically defines the byte place in the original IP message where the issue message was generated. This section of the header is examined by the receiving device to identify the issue.
The final section of the ICMP packet is the original datagram. It consists of up to 576 bytes in IPv4 and 1,280 bytes in IPv6 and includes a copy of the original error-containing IP message.
ICMP in DDoS attacks
Attackers overload the target with unwanted traffic during distributed DoS (DDoS) attacks, preventing the target from serving its consumers. An attacker can carry out these attacks in a variety of methods, including the following:
- Ping of death. The attacker sends an IP packet larger than the number of bytes allowed by IP. On the way to its intended destination, the oversized packet is fragmented. However, when the recipient device reassembles it, the size exceeds the limit, causing a buffer overflow and the receiving machine to freeze or crash. Newer devices have defenses against this older-type attack, but legacy networking devices are still vulnerable to it.
- ICMP flood attack. Sometimes called a ping flood attack, the goal of this attack is to overwhelm the target device with echo request packets. Each echo request packet must be processed by the target and responded to with echo reply messages. This sucks up all the target computer’s resources, and it causes a denial of service to any other users of the target computer.
- Smurf attack. In a Smurf attack, the attacker sends an ICMP packet with a spoofed source IP address, and the network layer equipment replies to the packet, sending the spoofed address a flood of packets. Like the ping of death, Smurf attacks are more likely to work on undefended legacy equipment.