Internet Control Message Protocol (ICMP): An Easy Guide

If you’re having an issue with your router, computer, or another device on your network, you’ll probably need to use the Internet Control Message Protocol (ICMP) for troubleshooting. This protocol helps network administrators and engineers diagnose problems and better understand how network communications work. 

In this guide, you’ll find everything you need to know about ICMP, from its definition to how it works, its benefits and risks, and how malicious actors use it in DDoS attacks. 

What is Internet Control Message Protocol (ICMP)?

ICMP is a support protocol that computers and devices within a network use to communicate and share operational information. It’s mainly used for troubleshooting and network management, not for transferring user data.

For example, if an IP data packet gets lost, a router becomes overloaded (like during a DDoS attack), or a host is unavailable, the devices involved will send ICMP messages. These messages help network engineers, automated systems, and monitoring tools identify the issue and take action.

This protocol isn’t new. It wasintroduced in 1981, under RFC 792, as part of the IP protocol suite to report errors and provide feedback regarding the communication environment. To do this, developers defined a set of core control messages that devices can generate depending on the situation or problem they encounter.

In the past few years, ICMP has been updated and expanded. It was originally used only on IPv4 networks, but it was later adapted for the IPv6 system as well. It now includes more message types than it did back then, and remains an essential tool for network monitoring and management.

How Does ICMP Work?

To report an issue or share an update, ICMP relies on datagrams – packets of data – rather than connections. This means that in order to issue an ICMP message, it doesn’t need to establish a stable connection between the two communicating devices. 

When you connect to the internet and try to browse a website, but your traffic doesn’t reach the intended host, the devices involved in this connection may trigger the ICMP protocol. You might just see a message like “This site can’t be reached,” but behind the scenes, a lot more is happening.

One of the devices involved, such as your router, will generate an ICMP message and return it as a datagram. The message will describe the issue using specific codes and phrases such as “Time Exceeded” or “Destination Unreachable.” Sometimes, the datagram also includes part of the original IP data packet so that the sender can better understand what went wrong.

Once the sender receives the ICMP message, it analyzes the feedback and takes action based on the information provided.

Anatomy of an ICMP Packet

An ICMP packet is a relatively simple structure within an IP packet. It includes a header, which may look like a long string of numbers formatted according to IP standards, followed by one or more data sections.

The first 32 bits of an ICMP packet make up the main header layer. This section contains three informational fields divided into octets, which are 8-bit segments:

• Type: The first octet explains the purpose of the message and the type of issue being reported. For example, it might show an unreachable destination, an echo request, or a reply.
• Code: The following octet offers additional details about the error or message type.
• Checksum: The remaining two octets – 16 bits – are used to verify the integrity of the ICMP message.

Below that first layer is the rest of the header, also with 32 bits. Depending on the message type, this section can include different kinds of information, such as identifiers or sequence numbers for echo requests or replies.

The final layer is the message body. This optional data section can vary significantly in length and often includes a portion of the original IP packet, such as the IP header, to help identify what triggered the message.

Common Control Messages

There are multiple ICMP message types, but they usually fall into one of two categories: query messages or error-reporting messages.

The different message types have been categorized and assigned a specific number. The most common ones are:

• Destination unreachable (Type 3): This message is shown when a packet can’t be delivered for several reasons, such as an unreachable host, port, or network. It’s commonly used to diagnose routing and connectivity issues.
• Time exceeded (Type 11): This message is sent when a packet takes too long to reach its destination or when its Time To Live (TTL) value reaches zero.
• Echo Request (Type 8) and Echo Reply (Type 0): These messages are used to measure round-trip time and test reachability, most commonly during ping tests.
• Parameter Problem (Type 12): This message shows when the ICMP packet has an incorrect value or hasn’t been properly structured, like when there’s an error in the IP header.
• Redirect Message (Type 5): This informs a host about a better route for a specific destination, such as a shorter or more efficient path.

Common ICMP Utilities

ICMP is commonly used for testing and diagnosis, mostly through two popular tools: Traceroute and Ping. These command-line utilities work in different ways and serve different purposes.

• Traceroute helps network managers understand routing paths. It shows the logical network path (IP-layer hops) between two devices by mapping each router hop and its response time. Traceroute relies on ICMP “Time Exceeded” messages to trace the path and identify potential issues, such as where delays or packet loss occur.
• Ping reports on latency and reachability. This tool sends pings, or ICMP Echo Request messages, and waits for Echo Reply messages in return to test reachability. Using ping, network administrators can see how long it takes to reach a host, whether the host is reachable at all, and whether packets are being lost. 

Both utilities help network managers and users determine whether a destination is reachable, how long it takes to get there, and which route the traffic follows. However, these same tools can also be abused by malicious actors.

How ICMP is Used in DDoS Attacks

Because ICMP is so useful for network troubleshooting and is an essential part of how most devices communicate, malicious actors have found ways to abuse it for cyberattacks.

There are several ways attackers can launch DDoS attacks to overwhelm a victim’s device, router, or entire network. The most common ones include:

ICMP Ping Flood Attack

With this technique, malicious actors send a large number of ICMP Echo Request messages to target your device. The device becomes overwhelmed and can’t keep up with the volume of requests. The result is a denial-of-service attack as the device exhausts its computing resources trying to process the attacker’s echo requests instead of responding to legitimate traffic.

Ping of Death Attack

In this type of attack, criminals send ICMP packets larger than the maximum transmission unit (MTU). By sending a larger number of bytes, the data packet gets fragmented within the IP layer and sent separately. Later, your targeted device tries to reassemble it, creating a packet that exceeds the maximum size and causing it to freeze or crash. Fortunately, most modern devices are protected against this attack by default.

Smurf Attack 

In a Smurf attack, malicious actors send ICMP Echo Request messages with a spoofed source IP address. The devices within the network try to respond and send multiple replies to the spoofed IP address, flooding the target with several ICMP packets. Modern networks now disable directed broadcasts to prevent this type of attack.

Benefits of ICMP

Despite its advanced years, ICMP remains essential to modern network infrastructure. Here’s why it continues to provide value:

• Faster troubleshooting and reduced downtime: ICMP’s error messages pinpoint the exact location of failures, allowing network admins to identify and resolve connectivity issues in seconds rather than hours.
• Built into every internet-connected device: Unlike proprietary monitoring tools that require installation and configuration, ICMP is universally supported. This means you can troubleshoot network issues across different networks and devices using the same simple commands.
• Minimal network overhead: ICMP messages typically consume a negligible amount of network bandwidth, making it an efficient choice for continuous monitoring without impacting performance.

Risks of ICMP

While ICMP is essential for network management, its original design didn’t prioritize security. This creates several vulnerabilities that network administrators should understand:

• Enables network reconnaissance: Attackers can use ICMP to map your network topology, identify active hosts, and discover which services are running. This reconnaissance often precedes targeted attacks. 
• Provides no authentication or encryption: ICMP messages can be spoofed, meaning attackers can send fake error messages to disrupt communications or redirect traffic. There’s no built-in way to verify whether an ICMP message is legitimate.
• Creates operational trade-offs: Because ICMP underpins common diagnostic tools, disabling it outright can limit visibility into network issues. This makes it difficult to eliminate entirely, even in security-sensitive environments.

ICMP and Security

Due to the cybersecurity risks in the ICMP protocol, network administrators and users have implemented multiple strategies and systems to defend against DDoS attacks. As a result, most of the ICMP-based attacks have been mitigated, although certain networks and outdated devices can still be vulnerable if proper protections aren’t in place.

Many ISPs take active steps to reduce these risks by filtering traffic and deploying intrusion detection and prevention systems. Still, security is a shared responsibility. Network administrators may choose to limit or disable ICMP traffic and enable it only when it’s needed for troubleshooting. Users can also rely on VPN services to reduce exposure by masking their real IP address and encrypting network traffic, which helps protect personal data from being stolen during an attack.

FAQ