ICMP stands for Internet Control Message Protocol. It is a protocol at the network layer. It is mostly used on network devices such as routers for error handling at the network layer. Because many forms of faults might occur at the network layer, ICMP can be used to report and troubleshoot these errors.
For example, suppose a sender wishes to transmit a message to a specific location but the router is unable to do so. In this scenario, the router informs the sender that I was unable to send the message to that destination.
Because the IP protocol lacks an error-reporting or error-correction mechanism, it relies on messages to communicate information. For example, if the message is sent to the destination, it is somehow stolen between the sender and the destination. If no one reports the problem, the sender may believe the message has arrived at its destination. If someone in the middle reports the issue, the sender will swiftly resend the message.
What is ICMP used for?
The major function of ICMP is error reporting. When two devices connect via the Internet, the ICMP creates faults to share with the transmitting device if any of the data does not arrive at its intended destination. If a data packet is too large for a router, the router will drop the packet and send an ICMP message back to the source of the data.
ICMP is also used for network diagnostics, notably the terminal applications ping and traceroute.
Traceroute: The traceroute utility displays the physical routing path between two internet devices that are interacting with one another. It plots the path from one router to the next, often known as a hop. Using a traceroute to diagnose network issues might assist administrators in determining the source of a network slowdown.
Ping: The ping utility is a simplified version of traceroute. It sends out pings, also known as echo request messages, and then timing how long it takes the message to reach its destination and return to the source. These are known as echo reply messages. Pings are important for determining the latency of a specific device. Ping, unlike traceroute, does not offer visual maps of the routing layout. The ping program is also frequently used in denial of service (DoS) attacks.
The commonly used Internet Protocol version 4, or IPv4 address class, and the newer IPv6 address class employ ICMPv4 and ICMPv6, respectively.
How does ICMP work?
One of the most important protocols in the IP suite is ICMP. ICMP, on the other hand, is unrelated to any transport layer protocol, such as Transmission Control Protocol (TCP) or User Datagram Protocol (UDP). It is a connectionless protocol, which means that before sending a message, a device does not need to establish a connection with the target device. This is in contrast to TCP, which requires a connection to be established before a message can be transmitted, establishing that both devices are ready via a TCP handshake.
ICMP messages are sent as datagrams with an IP header that encapsulates the ICMP data. A datagram, like a packet, is a self-contained autonomous data object. Consider it a package transporting a portion of a larger message across the network. IP packets including ICMP in the IP data part are referred to as ICMP packets. ICMP messages also include the original message’s whole IP header, allowing the end system to determine which packet failed.
The ICMP header is specified as IP protocol number 1 and appears after the IPv4 or IPv6 packet header. The protocol has three parameters, which are discussed below. The ICMP data and the original IP header identifying which packet failed to follow the three parameters.
How is ICMP used in DDoS attacks?
ICMP flood attack
When an attacker attempts to flood a targeted device with ICMP echo-request packets, this is known as a ping flood. Each packet must be processed and responded to by the target, using CPU resources until legitimate users are unable to obtain service.
Flood attack on ICMP:
Death Ping Attack
A ping of death attack happens when an attacker sends a ping to a targeted machine that is larger than the maximum allowed packet size, causing the machine to freeze or crash. The packet fragments on its route to its destination, but when the destination reassembles it to its original maximum-exceeding size, the size of the packet causes a buffer overflow.
At this moment, the ping of death attack is mostly history. However, older networking equipment may still be vulnerable.
The attacker uses a faked source IP address to transmit an ICMP packet in a Smurf attack. Networking equipment responds to the packet by sending responses to the faked IP address and bombarding the victim with unwanted ICMP packets. The Smurf attack, like the ‘ping of death,’ is only achievable with legacy equipment today.
In layer 3 DDoS assaults, ICMP is not the sole network layer protocol employed. In the past, attackers have used GRE packets, for example.
Network layer DDoS attacks, as opposed to application layer DDoS assaults, often target networking equipment and infrastructure. One method of defending against network layer DDoS attacks is to use Cloudflare Magic Transit.
ICMP parameters reside in the packet header and aid in the identification of problems in the IP packet to which they apply. The parameters function similarly to a shipping label on a shipment. They contain information that identifies the packet and the contents it contains. As a result, the protocols and network tools that receive the ICMP message understand how to handle the packet.
Every ICMP message’s packet header contains three informational fields, or parameters, in the first 32 bits. These three variables are as follows:
Type: The first eight bits represent the message kinds. The following are some examples of frequent message types:
Type 0: Receive an echo response.
Type 3: Unreachable destination
Type 8: Echo
Type 5: Redirect
The type gives a brief explanation of the message’s purpose so that the receiving network device understands why it is receiving the message and how to handle it. A Type 8 Echo, for example, is a query sent by a host to see if a potential destination system is available. When an Echo message is received, the receiving device may respond with an Echo Reply (Type 0), indicating that it is available.
The Internet Assigned Numbers Authority (IANA) maintains a list of all message types used by ICMP packets.
Code: The next eight bits are the message type code, which contains more information about the error kind.
Checksum: The final 16 bits serve as a message integrity check. The checksum indicates the number of bits in the entire message and allows the ICMP tool to ensure that the complete range of data was transmitted by checking for consistency with the ICMP message header.
The pointer is the next section of the ICMP header. It is made up of 32 bits of data that pinpoints the issue in the original IP packet. The pointer specifically defines the byte location in the original IP message that caused the issue message to be generated. The receiving device examines this section of the header to determine the source of the problem.
The original datagram is the final portion of the ICMP packet. It contains a copy of the original error-containing IP message and can be up to 576 bytes in IPv4 and 1,280 bytes in IPv6.
How Fortinet can help?
The Fortinet FortiDDoS protection helps keep your network safe from DDoS attacks that make use of ICMP. FortiDDoS analyses device behaviour and flags anomalous ICMP message activity so that the attack can be stopped. To make it easier to use, FortiDDoS includes a dashboard, protective profiles, global settings, and an easy-to-use graphical user interface.
FortiDDoS reduces the number of false positives identified, saving your IT staff time and effort. It can also check hundreds of thousands of various data characteristics at once, making it a more complete tool against DDoS attacks. You can also generate detailed reports and graphs summarising network activities with FortiDDoS.
Some Useful Questions
What is the Purpose of ICMP?
The Internet Control Message Protocol (ICMP) is used for issue reporting and network diagnostics. When data does not arrive as expected, ICMP sends messages from the receiver to the sender as part of the error reporting procedure. ICMP is used in the diagnostic process to deliver messages that are used by ping and traceroute to offer information about how data is transferred.
Is ICMP synonymous with ping?
Although they are connected, ICMP and ping are not the same thing. The ICMP protocol governs how messages are delivered between devices. Pings are the name given to the echo requests and responses sent by the ICMP protocol. So, while a ping is generated with ICMP, it is not ICMP.