Christmas Offer - Every Learner Must Check Out - Flat 88% OFF on All Access Pass
00
days
:
00
hours
:
00
minutes
:
00
seconds
PyNet Labs- Network Automation Specialists

What is ICMP (Internet Control Message Protocol)?

Author : PyNet Labs
Last Modified: January 29, 2024 
Date: November 20, 2023
Blog featured image with text What is ICMP Protocol and an image showcasing ICMP working

Introduction

The Internet is a web of interconnected devices that communicate using protocols. One such protocol is the Internet Control Message Protocol (ICMP), which helps network devices diagnose communication issues. ICMP protocol plays a significant role in determining whether the data is reaching its intended destination on time or not. Typically, routers and other network devices utilize the ICMP protocol. In this blog, we will mainly focus on what ICMP in computer networks is, its history, purpose, and how it works, and last, we will look into how ICMP is used in DDoS attacks.

Let’s first understand what ICMP is.

What is ICMP Protocol?

ICMP or Internet Control Message Protocol is a kind of protocol that operates at the network layer on top of the Internet Protocol (IP). IP handles the transportation of data packets between sources and destinations, whereas ICMP is responsible for transmitting control and error messages among network devices. For instance, if a router encounters an issue while forwarding an IP packet, it can utilize ICMP to send an error message to the source host. Similarly, if a host wishes to assess connectivity or latency with another host, it can employ ICMP to transmit an echo request and await an echo reply.

Image showing ICMP Message Format which is divided into 3 parts -Type, Code and Checksum over rest header and data section

ICMP messages are enclosed within IP datagrams. This means they consist of an IP header followed by an ICMP header and accompanying data. The ICMP header contains two fields: type and code. The type field specifies the purpose of the message (echo request, echo reply, destination time exceeded). On the other hand, the code field provides information about the message type (e.g., reason for error or query subtype).

Now that we have a basic understanding of ICMP protocol, let’s discuss its history.

History of ICMP

ICMP came into action in 1981 as part of the TCP/IP suite of protocols as defined in RFC 792. Its purpose was to offer feedback regarding communication issues and assist tools, like ping and traceroute. Initially meant for IPv4, the fourth version of IP. A newer version of ICMP, also known as ICMPv6 (defined in RFC 4443), came into action with the introduction of IPv6, the sixth version of IP, in 1998. ICMPv6 differs from ICMPv4 by employing message types and codes. It supports IPv6 features like fragmentation and neighbor discovery and integrates security measures such as IPsec.

What is ICMP used for?

ICMP serves two purposes in computer networks: error reporting and querying.

Error reporting is used to notify hosts or routers about issues that arise during the transmission of IP packets. For instance, if a router cannot find a route to the intended destination host, it can send an ICMP message indicating that the destination is unreachable back to the source host. This helps the source host become aware of the problem and either halt transmissions or explore routes.

Querying, on the other hand, is employed to request or provide information regarding the status or configuration of hosts or routers. Let’s say a host wants to determine the round-trip time or hop count to another host; it can send an ICMP message requesting an echo. Wait for an ICMP reply carrying that echo. This enables the host to measure latency or trace its route to reach its intended destination.

By offering feedback and diagnostic functions, ICMP helps overcome the limitations of IP. For example, IP lacks a built-in mechanism for sending error or control messages as reliable delivery service and congestion control mechanisms. By utilizing ICMP, network devices are able to communicate errors, queries, and congestion information without relying on higher-layer protocols like TCP or UDP.

Types of ICMP Messages

Here are the various types of ICMP Protocol messages –

  • Information Messages: In information messages, the sender shares a question with the host, or we can say router and expect a reply. In other words, the host wants to know whether the router is active or not.
  • Error-reporting message: This means that when the router encounters a problem while processing an IP packet, it reports a message.
  • Query messages: Query messages allow a router or network administrator to learn specific information from another host or router.
  • Source Mitigation: It appeals to reduce the traffic rate of messages shared from the source to the router (destination).
  • Time Exceeded: The fragments held by the router will be released when the fragments disappear in the network, and then ICMP will receive the source IP from the rejected packet. This provides information to the source that the datagram has been rejected as the live field time reaches zero, by sending time exceeded message.
  • Fragmentation Required: The Don’t Fragment (DF) bit is adjusted when a route is unable to forward a datagram because it exceeds the MTU of the next hop. The router is required to respond to the ICMP Destination Unreachable message via a code at the source of the datagram, which requires fragmentation and a DF (Don’t Fragment) adjustment.
  • Destination Unreachable: This message shows an error i.e. the destination, network or port number mentioned in the IP packet is unreachable. Because the destination host device is not working, a middle-router cannot figure out the path to forward the packet, and a firewall is built to disrupt the connection to the packet’s source.
  • Redirect message: This is used when a router wants to inform a sender to take a different path to a particular destination. This happens when the router knows the shortest path to the destination.
A table showing ICMP Message types categories in two types - Error reporting and Query Message

Let’s move on to understand the working of ICMP.

How does the ICMP Protocol work?

ICMP operates by exchanging messages between network devices using IP datagrams. An ICMP message comprises an IP header followed by an ICMP header and data. The IP header contains details like source and destination addresses, protocol number (1 for ICMP) and a checksum. The ICMP header includes information such as message type, code, another checksum and optional identifier, and sequence numbers. The data section carries information depending on the type and code of the message.

When a network device sends an ICMP message, it packages it within an IP datagram. Forward it to the specified destination address mentioned in the IP header. Upon receiving an ICMP message, a network device unpacks it from the IP datagram. It then checks the type and code fields in the ICMP header. Based on these values, different actions or responses may be triggered.

Image showing how ICMP Works, where a Host computer sends ECHO request to server and it reply backs with Echo reply.

The most common type of ICMP message is an echo request or echo reply, which is primarily used for the ping utility. An echo request is a message that sends a response from the destination device. In contrast, an echo reply is a confirmation that the destination device has indeed received the echo request.

The ICMP header contains two fields for the echo request and reply messages.

Identifier (16-bit): A number that helps to match the echo request and reply messages.

Sequence number (16-bit): A number that increments with each echo request and reply message.

ICMP Packet Format

The ICMP protocol header comes before the IPv4 and IPv6 packet headers.

ICMP Packet format where type is of 8 bit, code - 8 bit, and CheckSum is 16 bit. Extended Header is 32 bit, and Data/Payload is Variable Length.

The first 32 bits of the packet hold three fields in the ICMP packet format:

Type (8-bit): For message type, the first 8 bits of the packet provide a short description of the message. This allows the receiver to identify what type of message it is receiving and how to respond to it.

Here are some common message types:

  • Type 0 – Echo reply
  • Type 3 – Destination unreachable
  • Type 5 – Redirect Message
  • Type 8 – Echo Request
  • Type 11 – Time Exceeded
  • Type 12 – Parameter problem

Code (8-bit): The code is the next 8 bits of the ICMP packet format containing the error message and some additional information.

Checksum (16-bit): In the ICMP packet header, the last 16 bits are for the checksum field. The checksum helps check the number of bits in the complete message and enables the ICMP tool to ensure that the complete data is sent.

The Extended Header is the next 32 bits of the ICMP header that identifies the problem in the IP message. The byte locations are analysed through a pointer containing the problem message and the receiving device looks here to see the problem.

The last part of the ICMP packet is the Data or Payload of variable length. The bytes involved in IPv4 are 576 bytes and in IPv6 are 1280 bytes.

Below, we have explained how ICMP protocol can be used for DDoS attacks.

How is ICMP Protocol used in DDoS Attacks?

ICMP flood attack

This is a type of DDoS attack that involves sending a large number of ICMP echo request messages to a target from multiple sources. The target has to process and respond to each echo request message, which consumes its resources and bandwidth. If the target cannot handle the incoming traffic, it may slow down or crash.

Ping of death attack

This is a type of DDoS attack that involves sending malformed or oversized ICMP echo request messages to a target from multiple sources. The target may not be able to handle or process the invalid packets, which may cause it to crash or reboot.

Smurf attack

This is a type of DDoS attack that involves sending ICMP echo request messages with a spoofed source address to a broadcast address on a network. The broadcast address is a special address that reaches all devices on the network. The devices on the network will respond to the echo request messages by sending ICMP echo reply messages to the spoofed source address, which is actually the target. The target will receive a large amount of unsolicited traffic from multiple sources, which may overwhelm its resources and bandwidth.

Limitations of Internet Control Message Protocol

Two important limitations of Internet Control Message Protocol are mentioned below –

No Error Reporting

The router rejects data transmission due to an error and there is no mechanism in the Internet Control Message Protocol to notify the sender of this error.

For example: while surfing the Internet the lifetime of the data packet has expired and the value of the time live field in the data packet has become zero; If the data packet will be rejected.

No Communication

Generally, one device needs to connect to another, in such a situation ICMP protocol has no process to transmit information to the device.

For example: The host has to analyze whether the destination is still active after sharing the data.

These are the limitations of ICMP Protocol.

Frequently Asked Questions

Q1. Where is ICMP protocol used?

ICMP serves as a means for reporting errors and diagnosing networks. It relies on messages like echo requests, echo replies, and time exceeded.

Q2. Is ICMP a TCP or UDP protocol?

Unlike TCP or UDP protocols, ICMP operates without establishing a connection. Its purpose revolves around network management tasks such as error reporting and synchronization.

Q3. What is ICMP and ping?

ICMP acts as a protocol facilitating the exchange of error and control messages among network devices. The tool known as Ping utilizes ICMP to assess the connectivity and latency of a device by sending out echo requests and awaiting replies.

Q4. Is ping an ICMP protocol?

Ping leverages the ICMP protocol to create connectivity between two devices. ICMP, short for Internet Control Message Protocol, functions at the network layer by transmitting error and control messages. When Ping launches ICMP echo requests, it patiently anticipates matching ICMP echo replies.

Conclusion

ICMP protocol serves at the network layer, enabling network devices to exchange information regarding errors, queries, and congestion. It plays a role in diagnosing and resolving network issues. It can also be misused by attackers to carry out DDoS attacks. This blog explains ICMP, its significance, and its historical background. Additionally, we explore the misuse of ICMP in computer networks for executing DDoS attacks.

Recent Blog Post

Leave a Reply

Your email address will not be published. Required fields are marked *

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram