Routers and intermediary devices use ICMP to communicate error information and updates. It is not a transport layer protocol, so it does not involve a TCP handshake between two devices.
ICMP also provides network diagnostic functionality, including the terminal utilities ping and traceroute. Understanding how ICMP works and how it functions in your network is critical to protecting against attacks like DDOS and ping sweeps.
What is ICMP?
ICMP is an Internet control protocol that reports error conditions and other information. It’s a network layer protocol, so it doesn’t manage data transfer, but it does help ensure that data gets to its Destination and is received in the proper order.
Unlike TCP and UDP, which are transport protocols, ICMP is connectionless. It doesn’t require a device to establish a connection before sending a message, and it can send multiple packets quickly. It helps reduce the chance of congestion.
It’s a straightforward protocol that uses only three bits to identify the type of message and its Code: a category, a data portion, and an IP header that contains the address of the device that sent the ICMP. The ICMP data portion includes the original IP header, making it easy for end systems to identify which packet failed.
Network administrators use ICMP to troubleshoot Internet connections, using diagnostic utilities such as ping and traceroute; this is how is ICMP used. Both tools utilize ICMP to display the routing path data must take from one router to another. The resulting reports can reveal the device’s data must pass through and how long it takes to reach its destination. In addition to these diagnostic messages, ICMP generates error messages that can impact network performance.
ICMP Error Messages
The ICMP error messages report errors and other network management information. Unlike IP, which does not include built-in error control and reporting functions, ICMP is an auxiliary protocol to manage network devices.
ICMP messages are organized into two categories: error-reporting messages and query messages. The most commonly known error-reporting messages are the destination unreachable message generated by a router when it cannot send traffic to a destination network device or host. Query messages, on the other hand, are the ones that help hosts and routers get specific information about network data.
Each ICMP error message comprises type, code, and checksum. The first field is an 8-bit field that identifies the ICMP message type. The second field, the code, is a numeric value that further qualifies the ICMP message. The third field, the checksum, is a 16-bit one’s complement of the ICMP header checksum.
Some ICMP error messages, such as the traceroute function, are used for network troubleshooting. When a packet is sent with a hop limit of one, the first router in the path discards it and sends back an ICMP message of type three, code zero. It enables the source host to determine which routers are part of the path to the destination host. Other ICMP error messages are more serious, such as the time exceeded message informing the source that its packet was discarded due to timeout.
ICMP Query Messages
When a network device sends an IP datagram from one end of the network to the other, it often passes through multiple routers or intermediary devices. These devices can sometimes mishandle the data packet and produce an ICMP error message to let the sending device know what went wrong.
For example, suppose a router receives a data packet that is too large to process. In that case, it will send an ICMP destination unreachable error message to the transmitting device to notify it of this issue. Other ICMP error messages include time exceeded, parameter problems, and redirect messages.
In addition to the error messages, ICMP includes query messages that allow network devices to communicate. These query messages can help network administrators troubleshoot problems with the data transfer process. For example, a network administrator can use the ping command-line utility to generate an ICMP echo-request and echo-reply message to determine the latency between two devices.
Think of ICMP as the communication between an automobile assembly team and its supplier. The automotive supplier delivers a variety of parts to the assembly line, and these parts can get lost or misrouted along the way. The assembly crew needs to be able to communicate with the manufacturer to make sure the missing or misrouted parts arrive as soon as possible.
ICMP Congestion Control
ICMP can be used to help control network congestion. It can communicate information about the transmission rate of packets and can provide feedback such as source quench messages (informing the sender to reduce its data rate because of congestion). It allows routers to manage their resources more effectively than if it were solely based on the IP protocol.
Besides reporting errors and providing feedback, ICMP can also be used to test the performance of a network. For example, ping and traceroute are ICMP-based diagnostic tools. Traceroute, for instance, shows the devices that handled a packet of data on its way to a destination.
However, ICMP can be exploited by attackers to hurt a network. These attacks are known as DDoS or distributed denial-of-service attacks. One widespread attack uses a lot of ICMP packets to overburden the target device, consuming its bandwidth and making it unresponsive to legitimate traffic. Another attack, the ping of death, involves sending many ICMP Echo Request messages to a device until it stops responding. These are just two examples of a wide range of DDoS attacks that can cause severe problems in your network. As a result, it’s essential to know what you can and cannot do with ICMP in your network. It will protect your network from threats that could be costly or detrimental to users.