What Is ICMP (Internet Control Message Protocol)?

When network devices, such as routers, can’t deliver a packet to its intended destination, they return an error message to the source device. The router relies on Internet Control Message Protocol to communicate problems with data transmission. In this article, learn what ICMP is, how it works, and what it's used for.

What is ICMP? 

ICMP (Internet Control Message Protocol) is a network layer protocol primarily used for error-reporting and diagnostic purposes within networked systems. Network devices like routers use ICMP to send error messages and operational status regarding the network’s conditions. 

Network equipment generates ICMP messages in response to errors such as destination unreachable, routing loops, and parameter problems. For instance, when a router encounters an issue forwarding a packet, the Internet Control Message Protocol sends a Destination Unreachable message to the original source IP address to inform about the problem. 

Ideally, the IP protocol is designed to be simple and efficient. It provides best-effort services to get packets from the source to the destination. However, IP doesn't guarantee delivery, order, or that the data will arrive intact.

Because IP doesn’t have an inbuilt error reporting mechanism, various errors can arise during data packet transmission. An IP protocol depends on Internet Control Message Protocol to provide error control. It enables hosts or devices to report errors and exceptions to upper-layer protocols when packet transmission experiences errors on the network. 

ICMP shares information through specific message types, each with a unique code indicating the exact nature of the problem. Any IP network device can send, receive, or process Internet Control Message Protocol messages.

Another point to note is that Internet Control Message Protocol works in the network layer (Layer 3) of the OSI model. This is the layer responsible for transmitting data packets from its source to its destination. You’ll find devices that are responsible for data packet routing and forwarding in this layer, the router being a primary example.

Some common uses of ICMP by network administrators include ping, traceroute, and path Maximum Transmission Unit (MTU) discovery. 

How does ICMP work?

Internet Control Message Protocol (ICMP) is an integral part of the Internet Protocol (IP) suite, as defined in RFC 792. However, ICMP isn’t a transport protocol for exchanging data between systems. It does not associate with transport protocols such as Transmission Control Protocol (TCP) or User Datagram Protocol (UDP).

Unlike TCP, ICMP is connectionless, meaning it does not require a pre-established connection between the communicating devices. Devices can send messages directly without a handshake process.

ICMP can help solve network traffic issues over the Internet. Here’s how it works.

ICMP messages are encapsulated within IP packets

ICMP messages are encapsulated in IP packets just like any other network traffic. The Internet Control Message Protocol message, including its header and any data it carries, is placed in the payload section of the IP packet.

The ICMP message type is identified

A type field identifies ICMP messages in the ICMP header, which specifies the message type sent. Many ICMP message types exist, including Echo-Request, Echo-Reply, Time Exceeded, Destination Unreachable, and Redirect.

ICMP message processing occurs

When a network device receives an IP packet with an Internet Control Message Protocol message, it examines, processes, and acts upon the message based on its type. If the source device sends an ICMP Echo Request message to the destination device, and the latter is unreachable, then it responds with an ICMP Echo Reply message.

Error reporting occurs

ICMP's core strength lies in its ability to report errors to a packet's source IP address. For example, suppose a router cannot forward a packet because the destination is unreachable. In that case, it sends an ICMP Destination Unreachable message back to the packet's source, indicating that a gateway to the Internet isn’t available for data delivery. 

Diagnostic tools leverage Internet Control Message Protocol to probe the network

They gather information about a packet's path (traceroute) and test the responsiveness of remote hosts (ping).

With the transition to IPv6, ICMP has evolved into ICMPv6, which introduces new message types and functionalities tailored to the needs of the newer protocol.

Internet Control Message Protocol parameters

Each message contains the complete IP packet header where several key parameters exist. The role of parameters within the ICMP header is to facilitate detailed error reporting regarding an IP packet.

In essence, Internet Control Message Protocol parameters act as a language that network devices use to report the status of packets. This piece of information is powerful for network management. Network engineers reply on ICMP parameters to monitor network performance, detect potential issues, and optimize network configurations.

The format of the ICMP packet may look like this:

Type (8 bits)	Code (8 bits)	Checksum (16 bits)
Pointer (32 bits)
Data/Payload

The first 32 bits of an ICMP message header contain three fixed fields or parameters. They include type, code, and checksum.

Type

The first 8 bits represent the type of the message sent. Different values represent different types of messages, such as:

• Type 0: Echo reply 
• Type 3: Destination unreachable
• Type 8: Echo request
• Type 12: Parameter problem 

By identifying the message type, devices at the network layer can determine how to handle it and extract relevant information from it. 

Code

The next 8-bit field provides further details about the nature of the specific Internet Control Message Protocol message type. It helps pinpoint the exact reason for an error or the reported condition. For example, a Destination Unreachable message could have codes like:

• Code 0: Network Unreachable
• Code 1: Host Unreachable
• Code 3: Port Unreachable

This granularity in error reporting allows for better troubleshooting.

Checksum

The last 16 bits error-check the message's ICMP header and data sections. The parameter ensures the integrity of the ICMP message during transmission. It's a calculated value based on the message's contents.

The receiving device recalculates the checksum and compares it to the value in the header. A mismatch indicates a corrupted message, prompting the device to discard it.

The next 32-bit portion of the Internet Control Message Protocol header is the pointer. It varies depending on the specific message type and code. To illustrate, an Echo Request/Reply message contains an Identifier and sequence number, while a Destination Unreachable message includes a portion of the original IP header that caused the problem.

The pointer indicates the byte offset within the original IP header where the error exists. It is mostly relevant in some ICMP error messages, particularly the Parameter Problem message (Type 12).

The final part of the header is the data. This section contains the actual payload of the Internet Control Message Protocol message, which varies. The size limit is typically 576 bytes for IPv4 and 1280 bytes for IPv6, including headers. 

Types of ICMP messages 

ICMP messages are sent in a variety of error-reporting contexts. They are not used to transport data back and forth in a network but are essential for a smooth network environment, maintaining network connections, and troubleshooting. 

Common types of Internet Control Message Protocol messages are as follows.

• Echo request and Echo reply. The ping command uses them to test connectivity. The Echo request message goes to a host. If the host is reachable, it responds with an Echo reply.
• Destination unreachable. It shows that a packet could not be delivered to its destination. The code field provides additional detail, such as whether the network, host, protocol, or port is unreachable.
• Time exceeded message (TTL expired). Used by the traceroute command, it indicates that a packet's Time to Live (TTL) value has reached zero, meaning the packet has traversed too many routers without reaching its destination.
• Source quench message. In the past, routers could use ICMP Source Quench messages to ask the sender to slow down the transmission rate due to congestion. However, modern networks rarely use it.
• Redirect. A redirect informs a host to use a different gateway for a specific destination to optimize the routing path.
• Parameter problem. If a device detects an issue with the IP packet header, like invalid options or an incorrect checksum, it sends an ICMP Parameter problem message.

What is ICMP used for? 

IP networks primarily use Internet Control Message Protocol for network traffic analysis. The following are the uses of Internet Control Message Protocol:

1. Ping. The ping utility employs ICMP Echo Request and Echo Reply messages to check network connections and calculate the time delay or latency between two hosts.
2. Traceroute: The traceroute utility uses ICMP Time Exceeded messages to map the path packets take between two hosts. Each router along the path responds with an ICMP Time Exceeded message, indicating that the TTL has expired.
3. Path MTU discovery: Internet Control Message Protocol messages help discover the Maximum Transmission Unit (MTU) size that a system can use for a particular path between two hosts. This helps prevent fragmentation and ensures that packets can arrive efficiently.
4. Network error reporting: ICMP messages are generated by network devices to report errors, such as when a packet cannot be delivered to its destination or when a router needs to alert that it is experiencing congestion.
5. Network management: Internet Control Message Protocol messages can help with network management tasks, such as ping sweeps to identify active hosts on a network and ping flooding to test the resilience of network devices to large amounts of ICMP traffic.

Which network devices and systems use Internet Control Message Protocol? 

Various key devices and systems that use ICMP include:

• Routers. Routers extensively use ICMP to send error messages and to provide network diagnostics.
• Hosts (computers and servers). End devices utilize ICMP for tools like ping and traceroute to test connectivity and trace packets' paths through the network.
• Network switches. Switches can have ICMP for network management, although they primarily operate at the data link layer.
• Firewalls. Firewalls can generate ICMP messages to inform hosts about blocked traffic or restricted access. They might also use the protocol to monitor and manage network traffic flow.
• Network Management Systems (NMS). ICMP messages enable these systems to monitor network health, perform diagnostics, and alert administrators to issues within the network.
• Load balancers. Load balancers may also interact with ICMP to check the responsiveness of servers and distribute traffic effectively.

ICMP is a network-layer protocol, so it operates at a lower level than application-layer protocols like HTTP or FTP. This allows it to provide valuable information about the underlying network infrastructure.

How is ICMP used in DDoS attacks?

ICMP messages are not always reliable, as they can be lost in congested networks. Even cybercriminals use ICMP to execute DDoS attacks. They may do so in the following manners.

ICMP flood attack

An ICMP flood attack is when the attacker overwhelms the target with a massive volume of Internet Control Message Protocol Echo Request packets. The target must process and respond to each request, consuming its resources (such as CPU and bandwidth) and potentially making it unresponsive to legitimate traffic.

Ping of death (PoD) attack

In a ping of death attack, spammers usually send oversized ping packets to the target. Network equipment might not handle these oversized packets correctly, leading to crashes, freezes, or buffer overflows.

While PoD attacks were a significant threat in the past, most modern systems patch against this vulnerability. However, some legacy devices might still be susceptible.

Smurf attack

Here, the threat actor sends an ICMP Echo request to a broadcast address with a spoofed source IP address of the intended victim. The network amplifies the attack by sending Echo Replies to the spoofed IP, overwhelming the victim with traffic.

The past year has seen a rise in ICMP-based DDoS attacks and greater tactical diversity from cybercriminals.

Frequently asked questions

Is Internet Control Message Protocol the same as ping?

ICMP protocol and ping aren’t the same thing, but they are related. Internet Control Message Protocol is a protocol that generates messages between network devices while ping uses Internet Control Message Protocol messages to check network connectivity.

What is the role of ICMP in IPv6?

ICMPv6 handles error reporting, Neighbor Discovery (like ARP in IPv4), multicast management, and device configuration.

What is an ICMP message?

An ICMP message is a type of network packet used by network devices to communicate control and error information.

What is the ICMP port?

The port for ICMP is technically nonexistent, as the protocol does not use ports like other protocols such as TCP or UDP.