ICMP (Internet Control Message Protocol)

ICMP (Internet Control Message Protocol)

When you network devices together, they need ways to communicate, and that communication is managed through the application of protocols.

There are plenty of protocols in the world, the most common including TCP and UDP, but those alone can’t cover every basis. It’s important to understand all of the essential protocols, and one that is easily overlooked is ICMP.

Internet Control Message Protocol Basics

Internet control message protocol (ICMP) is a messaging protocol that operates in the network layer. Primarily, it exists to enable diagnostic communication between devices in a network. Using ICMP, devices can determine whether or not a packet successfully reaches a destination within the expected time frame.

Because of this, routers most commonly use ICMP, as it helps with real-time communication diagnostics and efficient routing.

How It Works

The value of ICMP becomes apparent when you see how it functions. Most notably, ICMP is not built on top of TCP or UDP. In other words, ICMP does not establish connections in order to send or receive messages. There is no handshake involved. On top of that, ICMP cannot target a specific port on a networking device.

Because connections are not established, ICMP packets can be sent to a destination without a request. The connectionless aspect of ICMP is what makes it ideal for diagnostic communication.

DDoS

At the same time, ICMP introduces a specific type of risk into a network. Devices that utilize ICMP can suffer from a distributed denial of service attack. This is a specific network attack that exploits the connectionless communication of ICMP.

For the most part, DDoS attacks work in one of two ways. The first is by sending a packet that is just too large for the receiving device to handle. While the router (or other device) tries to deal with the large packet, the network slows or even stops due to the bottleneck.

Fortunately, modern devices already account for this type of DDoS attack, and it isn’t much of a problem.

The other style of DDoS attack sends very large numbers of messages (instead of one large message) to flood a device and bog it down. This type of attack still works on modern devices, and you can see how ICMP is integral to such an attack. The receiving device cannot deny a connection to prevent the attack, as ICMP doesn’t establish connections in the first place.

That said, there are ways to protect against this type of attack too, and they will be discussed a little later.

ICMP in Action

Now that you know a little more about ICMP, why it’s valuable, and the risks associated with this protocol, we can look a little more closely at how it functions in the real world. Why is it so valuable even with this specific risk? How do you deal with risks while taking advantage of the benefits of ICMP?

We can answer that with two ideas: error reporting, and DDoS mitigation.

Error Reporting

Even with the risk of DDoS attacks, ICMP is essential for modern networking and routing. The devices need to know when connections have problems, and ICMP reporting is instrumental in that process.

After all, you need a way to test communication with devices that have not established a direct connection, and ICMP is the protocol that makes such tests possible.

Additionally, the information in ICMP report packets is efficient and useful.

Typically, the packet includes a copy of the IP header along with relevant data for the specific test or error involved.

DDoS Protection

The IP header is an important note here, as it’s essential in one type of protection against DDoS attacks. Even though ICMP enables devices to send messages without establishing a connection, the receiving device still gets an IP address attached to that message.

Because of this, software can introduce delays for repeat messages from the same IP address. Even a small delay of less than five seconds is enough to prevent a single device from pinging a network enough to cause problems.

There is still a risk of a DDoS attack that sends messages from large numbers of IP addresses, but other delay protocols can mitigate that risk as well.

Overall, the DDoS risk associated with ICMP is not enough to deter engineers from including it in networking designs, and modern protections are quite capable of preventing the vast majority of DDoS attacks from succeeding.

Additional Learning Center Resources