ICMP is used in traceroute and ping to help diagnose and troubleshoot network performance. But if improperly configured, ICMP can also hurt network devices by overwhelming them with unwanted traffic. ICMP is a network layer protocol from the OSI model that provides control and error reporting services. Each ICMP message has an IP header that encapsulates a variable-sized data section.
The ICMP protocol is part of the Internet Layer, meaning it doesn’t exist inside data-carrying IP packets. Instead, it carries its information, operating at a different level than network devices. When a device sends data to another, the ICMP protocol communicates between the two, notifying the transmitting device when there is an issue with the transfer. For example, suppose a router discovers that an incoming IP datagram is too large to fit in its MTU size. In that case, it will discard the message and send back an ICMP error message of type 3 (destination unreachable) subtype 4 to inform the transmitting device of the error.
ICMP also works with routing to optimize paths for data packets. For instance, routers can use ICMP to notify hosts of a better first hop (intermediate device) for them.
It’s also used by attackers in DDoS attacks such as the Smurf attack and the ping of death, in which they use the protocol to inundate the target with unsolicited ICMP packets. As a result, organizations must keep an eye on their firewall settings and ensure that all ICMP communication is properly configured to prevent this type of malicious activity. In addition, ICMP can be used as a layer 2 DDoS attack by exploiting the way networking equipment responds to unsolicited ICMP packets with fake source IP addresses.
Error Detection on ICMP Protocol
The OSI model’s network layer is where ICMP, or Internet Control Protocol, operates. Conversely, TCP necessitates an active connection between devices before data can be sent, whereas ICMP IS A CONNECTIONLESS PROTOCOL. It means that ICMP packets do not include port numbers but have their unique header containing various information about the message and the type of error it reports. The primary function of ICMP is error reporting.
The ICMP protocol detects problems in the path of a data packet, allowing device managers to find out what went wrong and how to fix it. For example, if the destination device is unreachable, ICMP will report this using a Destination Unreachable error message. Similarly, if a router experiences congestion and slows down data transmission, it will send a Source Quench message to the packet’s sender.
Other common uses of ICMP are for diagnostics and for assessing network performance. For instance, a command line utility called traceroute is built on top of ICMP to determine the routing path between two networked devices. It does this by relying on ICMP messages to report back the physical way of connected routers that a packet of data takes to get from one device to another. It also reports how long it took for the packet to travel each step, which is useful for determining sources of network delays.
One of ICMP’s most useful functions is to perform network diagnostics. The commonly used terminal utilities traceroute, and ping use ICMP to display the routing path between two Internet devices. The traceroute command also reports the time it took data to travel through each router along the way, which can help you identify sources of network delay.
Each ICMP packet contains up to 576 bytes of data, an identifier for the sending device, and an ICMP header that includes error-indicating information. The data section can be padded with zeros to reach the maximum data size allowed by IP, and it may contain control messages identified in an ICMP type field and code field.
In the past, the variable length of an ICMP packet’s data section was exploited to create covert channels for communication. This older attack is known as the “Ping of death” because an attacker sends an oversized packet to its target, causing the recipient device to overflow its buffers and crash or freeze.
Traceroute, ping, and similar utilities use the Time to Live (TTL) value in ICMP packets to determine the route between a source and its destination. When TTL approaches 0, the router drops the packet and sends an ICMP Time Exceeded message back to the source. Each router that the packets transit through decrements TTL as the packets move through it. The source can then use the discarded packet’s TTL value to calculate how long the packet was in flight.
Ping, named for the sound of a returned sonar pulse, is a common tool for testing network connectivity. It sends Internet Control Message Protocol (ICMP) echo request messages to a host. It waits for the host’s ICMP echo reply message, indicating whether network connectivity is good. This round-trip time measurement helps administrators diagnose network latency and performance problems. In addition to error detection, ICMP provides query messages about the current status of a packet’s journey through a router or other intermediary devices.
For example, an ICMP parameter problem message may be generated when the calculated checksum of the data at the destination device does not match the original checksum sent by the source device. An ICMP query message will include the source device’s IP address and a timestamp identifying when the request-reply pair was created. In the past, misuse of ping was one of the primary reasons for DDoS attacks.
These attacks involved sending a rapid series of ping queries to a host to consume the available bandwidth on the host’s network connection. However, updates to the ping protocol mitigated this risk, and modern firewalls are designed to detect and prevent ICMP misuse. They can filter ICMP traffic to limit the number of ping requests they allow and even block all ICMP traffic.