304 North Cardinal St.
Dorchester Center, MA 02124
ICMP messages can communicate a variety of information. Each message has a type and code field that provides specific information about the error. Unlike TCP and UDP, ICMP does not require handshakes or formal connections. Rather, ICMP is used for low-level network management functions. For example, the terminal utilities ping and traceroute use ICMP. Both ping and traceroute report the routing path of data packets between network devices.
ICMP is one of the most useful tools available to network administrators. It operates at the Network Layer and is commonly used in network debugging utilities such as traceroute and ping. However, since hackers can also misuse ICMP to form attacks or tunnel through firewalls, many risk-averse network administrators choose to block inbound and outbound ICMP traffic. ICMP is a connectionless protocol unlike other data packet protocols, such as TCP, which require an active connection between the sending and receiving devices to send information. ICMP is a great choice for error reporting and network diagnostics because it can quickly notify the sender of problems with the communication path between the devices.
For example, suppose the Time to Live (TTL) field in an ICMP echo request or a ping reply is lowered by a router along its path. In that case, the original sender will receive an ICMP error message that indicates how long it took for the data to reach its destination. It enables network administrators to track down the device, slowing traffic in its path.
Another common ICMP error message is the “Destination Unreachable” message, which is used to notify the source of a packet that its MTU is too large for the network. This error message is reported using different ICMP types and codes in IPv4 and IPv6, but they have the same basic structure. The three ICMP fields are a type that identifies the error, a code, and a checksum.
ICMP is often confused with the popular network diagnostic tool, ping. However, while ping is an ICMP message, it is not technically part of the ICMP protocol itself. Ping is one of many applications that use ICMP to communicate with devices on a local network. Unlike TCP and UDP, ICMP does not operate on ports but differentiates messages using the ‘type’ and ‘code’ fields. It also doesn’t have a connection-oriented structure like TCP but enables devices to send and receive error-reporting information. The unsung heroes of the internet — routers — rely on ICMP to communicate issues back to their network, such as when a destination is unreachable, or the packet’s time-to-live expires. It enables transparent communication within the network.
Unfortunately, malicious actors can use ICMP as an attack vector to enter networks and compromise devices. For example, ICMP tunneling enables attackers to use compromised network equipment to communicate with an attacker and transmit data secretly. Also, ICMP can be used to carry ping scans and sweeps to discover systems to target in attacks such as DDoS. While ICMP is indispensable for network diagnostics, ensuring it can’t be exploited for attack is critical. It includes implementing security measures to prevent unauthorized ICMP traffic. It’s important in a hybrid cloud environment where the distinction between on-premises and SaaS services can be blurred.
The Internet Control Message Protocol, while lower in priority than protocols like TCP and UDP, holds an essential role. It acts as a network sentinel, communicating error messages and operational information to devices, ensuring that issues such as routing loops or unreachable destinations don’t go unnoticed. In addition to facilitating important network operations such as traceroute and ping, it also powers tools that make up the digital toolkit of today’s IT administrators. ICMP works at the Network layer (Layer 3 of the OSI model) and communicates directly with IP, identifying issues that arise during packet processing and relaying them to appropriate devices. As a result, it’s crucial to network health and performance—as well as the effectiveness of tools that help administrators troubleshoot issues.
Each ICMP packet has 20 bytes of standard IP header—but that doesn’t mean it’s loaded with valuable information. Most tools strip out this information, including a checksum, the source IP address, destination IP address, and Time To Live (TTL) expiration. After this, ICMP contains a data block that can vary in size and purpose. In this section, attackers can use ICMP to do all sorts of malicious shenanigans, from sending small bits of code to establishing an SSH reverse shell. ICMP can be weaponized in various attacks, making it vital to securing your network.
The Internet Control Message Protocol may seem intricate, but its core functions are relatively simple. It acts as the network’s feedback mechanism, ensuring that errors during packet processing don’t go unnoticed. It also provides valuable insights into the state of the network environment, such as when it’s suffering from a routing loop, an unreachable host, or other issues. Unlike TCP and UDP, ICMP doesn’t operate on ports but differentiates messages using type and code fields in the header. Besides the standard 20 bytes of IP header, each ICMP packet has an 8-bit ICMP type and code field and a 6-bit checksum. While the ICMP header is useful for some network security tools, most of the value lies in the ICMP payload, so you should focus on that when looking at ICMP traffic.
For example, a network device that sends more ICMP source quench messages than usual could indicate that it’s using ICMP to tunnel a malicious packet. That can lead to attacks like ping scans or a DDoS. To prevent these attacks, firewalls and IDS solutions should monitor ICMP for unexpectedly large volumes or non-standard ICMP datagram sizes. They can then block inbound and outbound ICMP traffic to minimize the attack surface.