explaining ICMP

What is ICMP?

ICMP (Internet Control Message Protocol) is a protocol that network devices (e.g. routers) use to generate error messages when network issues are preventing IP packets from getting through.

The Internet Control Message Protocol is one of the fundamental systems that make the internet work.

The history of ICMP

ICMP is part of the TCP/IP protocol stack. It is stationed at the Internet Layer and it is an error message standard that supports the core Internet Protocol. The original definition of ICMP was written by Jon Postel, one of the founders of the internet. The first standard was published in April 1981 in RFC 777. This has since been updated several times. The stable definition of the protocol is contained in RFC 792, which was also written by Postel and was published by the Internet Engineering Taskforce in September 1981.

The purpose of ICMP

Although the lower level Internet Layer is not supposed to be concerned with connection assurance, ICMP gives a little bit of feedback on communications when things go wrong. So, even if you use UDP, which has a connectionless communications model, it is still possible to find out why a transmission failed. All network-connected devices can process ICMP messages, so that includes routers as well as endpoint devices. ICMP has been adapted so it can work with IPv6 just as thoroughly as it has served IPv4.

As this protocol resides at the Internet Layer, its messages are carried by IP packets and so exist at a higher level than the operating structures of switches. Although the ICMP is carried within the IP packet, it does not exist inside data-carrying packets. An ICMP packet is only generated in response to an incoming data packet when the transmission of that inbound message fails. The error conditions that provoke an ICMP packet are often the result of data contained in the IP header of the failed packet.

ICMP packet structure

When a router ricochet’s back an ICMP packet to report an error, it recreates all of the fields in the original IP header of the packet that it is reporting on. So, an error collection program on the original sending computer could analyze the header and work out exactly which of the IP packets that it sent out failed.

After the IP header, comes the three field ICMP header. These contain a code that categories the error, a sub-code field, which refines the error code description, and then a checksum. After the ICMP field come the first eight bytes of the payload, which are actually the Transport Layer header (TCP or UDP).

ICMP message codes

The first code field in the ICMP block contains some very useful information. The code is numeric and here are some of the more interesting values that the field can have:

0 : echo reply – used for ping

3 : destination unreachable

4 : source quench – the router is overloaded

5 : redirect – use a different router

8 : echo request – used for ping

9 : router advertisement reply

10 : router solicitation

11 : time exceeded – used for traceroute

Time to Live

One of the IP header fields that is best-known for provoking an ICMP-generating error is the Time to Live field (TTL). This field contains a number, which expresses the maximum number of routers that the packet can pass through. This number is decreased by one, by each router that processes the packet. If a router receives a packet with a TTL of zero, it drops that packet and sends an ICMP message back to the originator of that failed transmission.

In the case of TTL exhaustion, the reason for a packet failing to reach its destination has nothing to do with router problems or malformed data in the packet header. The TTL is a construct that was created to prevent rogue packets clogging up the internet when router table errors resulted in circular paths. However, a byproduct of this field is a very useful network administration tool: Traceroute.

See also:  SolarWinds Traceroute Tools Review

Traceroute with ICMP

Traceroute is a well-known net admin tool that shows the typical path from the launching computer through to a given destination IP address. The utility sends out a series of empty IP packets. The important feature of each of these transmissions is the TTL value in the IP header.

The Traceroute program starts off sending a packet out with a TTL of 0. This will be dropped by the first router that receives it, which is usually the network gateway. That router sends back an ICMP packet. The only pieces of information that Traceroute wants from that response are the time it takes to come back and the source address of the packet. That tells Traceroute the address of the first router on the path to the destination. The program then sends out a packet with a TTL of 1. This gets through the gateway, which decreases the TTL by 1. The router that gets the packet next sees that the TTL is zero, drops the packet, and sends back an ICMP packet. Thus, the second router in the path is revealed and Traceroute notes the time it took for that response to arrive. By increasing the TTL by 1 with each transmission, Traceroute eventually builds up a map of all the links across the internet to the given address.

Traceroute problems

Traceroute is a very simple tool that takes advantage of a pre-existing administrative function and makes an efficient and informative utility out of it. There are a couple of weak points with Traceroute.

A network administrator will probably use the utility in order to see why a recent connection went so badly – either slowly, or failed. However, Traceroute can’t tell you what happened in the past. It can only give you feedback on the progress of the current route.

Routers each make their own decision over which of their neighbors offers the shortest path to the destination IP address on a packet. However, that decision might not always be exactly the same every time. If a router gets congested or switched off, the neighboring routers soon find out about the problem and adjust their routing tables to work around the problem. That altered routing information gets rippled out to all of the routers on the internet, but the problem may be fixed before all of the routers find out about it. Then the re-adjusted route gets proliferated around the world.

An option with the command, “-j” allows you to specify the addresses of the routers that you would like Traceroute to follow as a path. However, in order to use this facility, you would have to already know the path that a faulty transmission took and you can only derive that information with a Traceroute execution of exactly the same path.

So, if you experience a slow connection, the Traceroute command that you subsequently issue might not reveal what happened because by that time. The problem that caused the delay may have been fixed and your Traceroute path may not be the same path that the slow connection used.

Another problem with Traceroute is that it gives an interesting display on the path that your transmission will probably take to a given destination host. However, it doesn’t give you any tools to do anything with the information that you receive. It isn’t possible to specify a path, and so if you see that one of the routers on the internet gives a slow response time, all you can do with that is know which router is slowing your connections. As that router doesn’t belong to your company and you can’t speed it up, you have acquired knowledge through Traceroute but can’t act on it.

See also: Best tools for Traceroute

ICMP Ping

Ping uses two ICMP codes: 8 (echo request) and 0 (echo reply). When you issue the Ping command at the prompt, the Ping program sends out an ICMP packet containing the code 8 in the Type field. The reply will have a Type of 0. The program times the gap between sending the echo request packet and the arrival of the reply. So, you can get the “round trip time” of a packet to the given destination network and back.

The echo request packet is unusual in that it is the only ICMP packet that is sent out without being provoked by an error. So, Ping doesn’t have to emulate an error condition in order to get an ICMP message back. Ping has two options that allow you to specify a list of addresses for the path that the transmission should take. These are “-j“, which suggests a route and “-k“, which dictates the route.

See also: Best Ping Sweep Tools

ICMP Ping port

You may wonder which port Ping uses. The answer is: none. If a utility allows you to “ping” a port, it is not literally the Ping command. Instead, that utility uses a TCP or UDP packet to test a port. In truth, this type of function is referred to as a ” port scanner” or “port checker.”

Ping can’t use ports because it is a protocol that exists at a lower level than the Transport Layer, where ports are a major feature.

The closest method to an ICMP Ping port report that is available is to send a UDP packet to a specific port. If that port is not active, the transmission will provoke an ICMP message from the host of type 3 (destination unreachable) subtype 3 (destination port unreachable). So, although it is possible to provoke an ICMP message about a port, it is not possible to use the Ping mechanism to send an ICMP packet to that port in the first place as an echo request. If you tack a port number onto the IP address in a Ping command (i.e. ping <IP address>:<port number>) the command will not launch but will return a syntax error instead.

Pathping

Pathping is a utility that is built into the Windows operating system and it is available in all versions since Windows NT. This program is a combination of Ping and Traceroute, so it exploits three ICMP message types. These are the echo request and echo reply message type (8 and 0) and the time exceeded message type (11).

As with both Traceroute and Ping, it is possible to give a list of addresses for a suggested path as a parameter to the command and the utility will try to send a packet to the target network via those addresses.

Pathping produces a formatted results report that shows the route and the round trip times to each router. It will send repeated ping requests to each router in the path rather than just repeatedly contacting the destination. That is what Ping does, or just logging each router in the path once, which is what Traceroute does.

Pathping is not as resilient as Ping or Traceroute. Although every device on the internet is capable of sending ICMP messages, not every device has its ICMP functions activated. Some router and server owners intentionally turn off ICMP functions as a protection against hacker attack.

If an intermediate router will not use ICMP, Ping still gets through that router to test the destination. If Traceroute encounters a router that will not send out ICMP packets, it simply progresses to the next router, presenting a line of asterisks for the uncommunicative router. In the same situation, Pathping ends its enquiries at the router that has ICMP disabled.

Smurf attack

The main reason that some equipment owners turn the ICMP capabilities of their devices off is that the system can be used by hackers as a conduit for attacks. The Smurf attack is one such case.

The Smurf attack uses a reflector strategy. It doesn’t attack the target directly, but invokes other computers and routers to send messages to the victim. The attacker works out the broadcast address used on the network of the victim and then sends out an ICMP echo request (Ping). Each device on the network will send an echo reply back to the router that hosts that broadcast IP address.

This attack only works on large networks. It effectively provokes a Distributed Denial of Service (DDoS) attack from within the network, whereas most attacks are launched through remote computers over the internet. The attack type can be prevented by turning off ICMP capabilities on the gateway router or by filtering out the acceptance of requests carrying the network’s broadcast IP address information on packets coming into the network from a remote location.

Ping flood

A Ping flood is a DDoS strategy that overwhelms a target computer with ICMP echo requests. Some implementations of Ping work better than others. For example, the attack is more effective if the Ping command is launched with the “flood” option. However, this option is not available with all versions of Ping – it is not a valid option on the version that is embedded into Windows, for example. The fact that the flood option is not universal presents problems for hackers that want to direct remote computers infected with a botnet controlling program to send out the Ping requests. As the flood option is rare, it is probable that most of the devices in the botnet will be unable to launch the attack.

This attack strategy would have more success if the hacker ensured that all of the infected computers used an attempt to launch the attack had the flood option available in their Ping implementations. One way to ensure that would be to test computers before any attack and categorize a group that has the right form of Ping, or to install a flood-enabled Ping on all computers that are infected by the botnet virus.

The simplest defense against a Ping flood is to turn off ICMP capabilities on the router. If you are running a web server, then a web application firewall should protect you from Ping floods.

Ping of Death

The Ping of Death involves sending over-long ping request packets. The request will have a large amount of filler on the end of it in the payload. As the datagram is too long for transmission, the Internet Protocol processor will break up the string into chunks that are the size of the sender’s Maximum Transmission Unit (MTU). The receiver will notice that this is an extra long packet that has been broken up and try to reassemble the original, long packet before sending it on to its destination application. If the length of the packet is more bytes than the size of available memory in the receiving computer, the attempt to reassemble the packet will jam the computer.

Ping of Death is now a well-known attack type and so stateful firewalls and intrusion detection systems can spot it and block it. As with any hacker trick that becomes known, its effectiveness is no longer threatening. So, hackers have largely dropped the Ping of Death strategy in favor of the Ping flood.

ICMP tunnel

Routers only look at the headers of an ICMP packet, including the TCP/UDP header that might be behind the ICMP data. So a normal packet with lots of data in it would be passed through just as long as it had an ICMP section in it. This is potentially a backdoor for visitors to get around the authentication and charging procedures of public networks. This is called an ICMP tunnel or Ping tunnel.

It isn’t possible to tunnel through gateways and firewalls just with the standard network Ping utility that most people have on their computers. An ICMP tunnel would have to be programmed. This is also a possible route into a network for a hacker. Unfortunately, for network administrators, there are a number of free ICMP tunnel packages available for download from the internet.

As with the previous two types of ICMP attacks, Ping tunnels can be blocked by web application firewalls, intrusion detection systems, or by simply blocking all ICMP activity at the network gateway.

Twinge attack

Twinge is a hacker attack program. It launches an ICMP flood to overwhelm a target computer. Although all of the Ping requests that the target receives seem to have come from many different sources, they are all actually from the same source, each with a fake source IP address in the header. Twinge is possibly just a renamed Ping utility with the “flood” option implemented. It would make a very useful tool for botnet owners to load up onto their zombie computers in order to launch Ping flood attacks.

Essentially, a Twinge flood is the same as a Ping flood and the solutions to protect a network from it are the same as for the main category of DDoS attack via ICMP: turn off ICMP, install a web application firewall or a stateful firewall, or install an intrusion detection system.

Path MTU discovery

The Maximum Transmission Unit (MTU) is a setting on network-compliant devices that dictates the longest length of IP packets that the device should process. It is expressed in octets, which is an eight-bit byte. The original MTU recommendation for the Internet Protocol was 576 octets. However, the Ethernet standard recommends 1,500 octets and this has become the standard for all network and internet devices.

It is possible to adjust the MTU settings on any router. So, if your packets pass through a router with a lower MTU, each will be split into two IP packets. This slows down the delivery of your transfers because the original packet has to be reassembled by the receiver before it can progress to Transport Layer processing and then get passed on to the destination application.

It is also possible to specify in the IP header that splitting, which is called “fragmentation” should not be performed on the packet. In this case, a router with an MTU that is smaller than the packet length will drop the packet and then report back with an ICMP error notification. This error message would be of ICMP type 3 (destination unreachable) subtype 4 (fragmentation required but “don’t fragment” flag is set).

A Path MTU discovery attempt gets around the problem of fragmented or dropped packets. If you can find out the lowest MTU on the path that your transmission will take, you just need to set your own MTU down to that size.

The discovery mechanism is implemented by the failure procedures outlined above. An IP packet goes out to an intended destination with the payload padded to reach the sender’s MTU size and the “don’t fragment” flag set. If that gets through, you shouldn’t have any problems with your connections to the destination host that you sent the test packet to. If the transmission provokes an ICMP error, then you would just try the test repeatedly, reducing the packet length each time. With this, you will eventually send a packet that gets through and the length of that packet will tell you the lowest MTU on the path to your destination.

Ping has an option to set the “don’t fragment” flag. However, this will only be effective if the Ping packet is longer than the MTUs of the routers in its path. Ping doesn’t pad to your MTU size, so it is doubtful that a short Ping packet would ever get dropped.

The Linux-based IPutils package contains tracepath, which will perform path MTU discovery for you. On Windows computers, you could check out the free mturoute utility.

ICMP world

The ICMP system is a very simple mechanism for reporting on transmission failure. However, it is also one of the most powerful set of tools available to network administrators. The good news is that ICMP is free and automatically available on any network-connected device. The bad news is that ICMP can be used by hackers to form attacks or even sneak connections through firewalls.

The fact that ICMP can be used maliciously encourages a lot of risk-averse network administrators to turn the messaging system off. This is a shame because it disables a lot of the very useful utilities that are described in this guide.

If you run a network, and especially if you own a router that passes internet traffic, consider using stateful firewalls and intrusion detection systems to block ICMP misuse instead of turning the messaging protocol off completely. Investigate the settings and firmware features of your router to see whether it has ICMP abuse resolution procedures that will allow you to continue operating ICMP on the device.

Do you use ICMP methods to check on your connections? Do you have an ICMP-based GUI utility that you use regularly and can recommend to others? Have you turned off ICMP on your router to protect your network? Leave a message in the Comments section below and share your experiences.

What is an ICMP timestamp?

An ICMP timestamp is a specific message format rather than a field in an ICMP packet header. The timestamp message is responded to with a timestamp reply. The initial message in a timestamp exchange is just called a “Timestamp” – it is not called a “timestamp request.” Both the timestamp and the Timestamp Reply use the same message format.

The important fields in a timestamp message are:

  • Type
  • Originate Timestamp
  • Receive Timestamp
  • Transmit Timestamp

The requesting device fills in Type with 13 and enters a time in the Originate Timestamp field. The responding device enters 14 in the Type field, copies over the Originate Timestamp value from the request message, and fills in the Receive Timestamp and Transmit Timestamp fields. The Receive Timestamp value is the time the request was received and the Transmit Timestamp value is the time the Timestamp response message was prepared/sent.

All time values in Timestamp and Timestamp Reply messages express the number of milliseconds since midnight. There is no date element in the number.

Internet Control Message Protocol (ICMP) FAQs

What are the signs of an ICMP Flood Attack?

An ICMP flood attack is also known as a Ping attack. An overwhelming number of Ping requests are sent to a target address. The network interface is programmed to automatically respond to Ping requests and so attempts to reply to all of them. The task eventually overwhelms the processor of the host, which becomes unable to dedicate processing power to any other task.

There are three types of ICMP flood attack:

  • Targeted local disclosed – Targets an endpoint on the same network
  • Router disclosed – Targets a router
  • Blind Ping – Includes a preparatory phase to discover a target’s IP address

When are ICMP redirects sent?

An ICMP redirect is sent by a router to a host to give information that an alternative router will provide a better path to the desired destination. The message type for a redirect is 5.

What is the difference between ICMP and ICMPv6?

ICMP refers to the Internet Control Message Protocol. It is closely tied to the Internet Protocol (IP). There are two versions of the Internet Protocol currently active; the main difference between them is the format of IP address that they specify. These versions are IPv4 and IPv6. ICMP has an appropriate version that coordinates with the IP versions. So, there are ICMPv4 and ICMPv6.