Internet Control Message Protocol (ICMP) is located at the Network layer of the OSI model (or just above it in the Internet layer, as some argue), and is an integral part of the Internet Protocol suite ( commonly referred to as TCP/IP).
ICMP is assigned Protocol Number 1 in the IP suite according to IANA.org.
Designed to act as an error reporting and query service, it plays a crucial role in the host-to-host datagram service in network communication. It is the part of the IP service that acts as the feedback system in network IP communication, making sure that undeliverables packets are reported to the sending host, such as the router or the gateway.
Any IP network device can send ICMP datagrams, including network interface cards and other devices that are commonly used in your environment.
What is ICMP?
What is ICMPs role?
ICMP’s role in network communication can be likened to a team that is assembling an automobile using parts being sent from the manufacturer. The manufacturer is sending the parts one by one, assuming that they are being received by the assembly crew.
Handling Missing or Delayed Parts
Occasionally, though, a part does not arrive as scheduled, or parts are being slowed down via their usual delivery method and a faster way of getting parts to assembly exists. The assembly crew needs a way to notify the manufacturer to resend the missing part or to send the parts via a different, faster shipper or route.
ICMP as a Messenger
ICMP plays this role of the messenger that relays information from the receiver to the sender. This protocol is a fairly complex. Not only does it report undeliverable packets and unreachable hosts, it also sends redirect messages, echo and echo reply messages and others discussed below.
Echo/Echo Reply Messages and ICMP Feedback
(Echo/echo reply messages are used by the well-known PING command, which allows a user to send an echo to a receiving host, which sends an echo reply if echo is received). ICMP messages provide the system with a way to notify the source host if the remote host is not receiving the transmitted packets. ICMP does not help IP be more dependable and it does not receive or send any actual data. It simply exists as a feedback system, a resource to identify problems with lost packets and broken data routing.
Destination Unreachable Message
One of the most well-known and useful messages in an ICMP datagram is the Destination Unreachable message. Destination Unreachable messages are generated for several reasons, including unable to reach a network, a host, a port, or a protocol.
A router sends these Destination Unreachable messages back to the host, which then usually sends it to the application that generated the original packet. The error messages let the application know to try again and, if needed, the host application can generate an error message to the user of the application, notifying them of network connectivity problems.
Overview of ICMP Messages
It is important to know that even though Destination Unreachable messages are the ones that people know best through the PING utility, they are not all that there is to ICMP. Other important messages include the Redirect message, which a gateway uses to let the host know to send traffic to a different router. Time Exceeded is used by a router to tell the host that a packet has exceeded its Time to Live (TTL) and has been discarded; when a host starts receiving Time Exceeded packets, it may be an indication that a feedback loop exists somewhere downstream.
Router and Host Communication
Source Quench messages are sent from a router to a host, letting it know that its buffering capacity is full and to briefly pause transmissions to allow it to catch up. Other types of messages include Parameter Problem, Address Mask Request & Reply and Timestamp, among others.
Avoiding Feedback Loops and Network Flooding
ICMP will not send messages about ICMP messages; if this were to happen, it would create a feedback loop – a returned ICMP message would generate an ICMP message back to the other side, which would generate another message, and so on, creating a storm of ICMP packets that would quickly flood a network. For this same reason, ICMP will not reply to broadcast or multicast addresses. Unlike other IP protocols such as TCP and UDP, ICMP does not exchange data between hosts.
User Interaction and Diagnostic Tools
As a general rule, end users do not interact with this protocol except for a limited number of diagnostic tools, such as ping and traceroute, used to troubleshoot network and Internet connections.
Security Concerns: Attacks and Prevention
ICMP can be exploited to attack computers with what is known as the “Ping of Death”, which is a common Cyber attack that can cause Denial of Service issues in your networks. An IP packet designed to overflow a target computer’s buffer is sent in an attempt to crash its system. Another attack consists of floods of ping requests that prevent normal traffic from getting to the targeted computer. These attacks are relatively simple to prevent by implementing checks of IP fragments in the reassembly process.
Structure and Protocols of ICMP
ICMP messages are datagrams encapsulated within IP packets, and is used by both IPv4 (ICMPv4) and IPv6 (ICMPv6) protocols. These packets start with an IP header, followed by the ICMP header, type and code, checksum, and data. The data depends on the type and code fields, which identify the ICMP message being sent.
Importance of ICMP in IP Network Communication
One of the most important parts of the Internet Protocol suite, ICMP serves a crucial role in IP network communication. It ensures that a transmitting host knows if its packets are not being received by the remote host, providing crucial information regarding network problems as well as helping hosts transmit data more efficiently. Network technicians and administrators also use it as a diagnostic tool to help identify points of failure in the network. An ultimately indispensable tool in our constant, endless flow of billions and billions of IP packets sent around the world every second of every day.
Why is it that an ICMP packet does not have source and destination port numbers?
ICMP, the Internet Control Message Protocol is part of the TCP/IP protocol suite. ICMP relates to the Internet Layer, whereas port numbers are only found in the Transport Layer, which is the layer above.
What is ICMP protocol?
ICMP stands for the Internet Control Message Protocol. It was designed to provide administrative functions to Internet transmissions. Examples of its role include status checks and error messages passed between two devices across a connection.
What layer is ICMP?
ICMP is part of the TCP/IP protocol stack and it is found at the Internet Layer. This is actually the second layer up in the stack. ICMP is referred to as a Layer 3 protocol. This number comes from the Network Layer in the Open Systems Interconnection (OSI) protocol stack. The Network Layer in the OSI model is the thirds up and it equates to the Internet Layer in the TCP/IP stack.
Does ICMP run over IP?
Yes, ICMP sends messages to a source IP address. All IP-based network devices have the ability to send and receive ICMP messages. However, ICMP can be turned off, eliciting an error or failed response. This common tactic is used to limit an environment's exposure to ICMP related attacks.
Can hackers use ICMP?
Yes, hackers can use ICMP for a variety of attacks. Many of these attacks can be prevented by limiting ICMP traffic volumes and destinations in your firewall. In some cases, it may be appropriate to disable ICMP. Many content delivery networks can automatically block these attacks.
Hackers can use the ping command to scan a range of IP addresses and determine which ones are active. This can help them identify potential targets on a network.
ICMP redirect attacks
This type of attack is used to manipulate routing tables on a network, allowing the attacker to redirect network traffic through a device under their control.
Hackers can use ICMP to create a tunnel through which they can transmit data, bypassing firewalls and other security measures.
A Smurf attack is a type of denial of service attack in which the attacker sends a large number of ICMP echo request packets (ping packets) to the broadcast address of a network, with the source address spoofed to be the address of the intended victim.
ICMP flood attacks
This type of attack is similar to a Smurf attack, but instead of sending a large number of ping packets, the attacker floods the target with a high volume of ICMP packets, overwhelming the target and causing a denial of service.