What Is Internet Control Message Protocol (ICMP)?
Internet Control Message Protocol (ICMP) Definition
The Internet Control Message Protocol (ICMP) is a protocol that devices within a network use to communicate problems with data transmission. In this ICMP definition, one of the primary ways in which ICMP is used is to determine if data is getting to its destination and at the right time. This makes ICMP an important aspect of the error reporting process and testing to see how well a network is transmitting data. However, it can also be used to execute distributed denial-of-service (DDoS) attacks.
The manner in which ICMP works in network communication is similar to the communication that happens between a carpenter building a house and a home improvement store. The store sends studs, floorboards, roofing materials, insulation, and more, assuming that each component arrives and in the right order.
For instance, when the carpenter begins to construct a wall, he makes a request for 28 2x4s, 10 pounds of nails, and a door. He needs to get the nails first, the 2x4s second, and the door last. The home improvement store sends them in that order, but the door arrives first. This will not work because you cannot hang a door without having a wall up first. So the carpenter asks the store to resend the nails and the 2x4s, and the store resends them, telling the driver to take a different route.
ICMP works like the communication between the carpenter and the store. It relays messages from the receiver to the sender about the data that was supposed to arrive. If the data either does not reach the receiver or is received in the wrong order, ICMP lets the sender know so the data can be resent. In this way, ICMP is simply a protocol for communicating information about data, but it does not manage the data itself.
Also, it does not have its own level within the Open Systems Interconnection (OSI) model, which outlines the seven layers involved in network transmissions. Understanding ICMP can help you see why it is such a valuable tool, but it is also important to understand how ICMP can be used in DDoS attacks that may threaten an organization.
What is ICMP Used For?
The number one use of ICMP is for reporting errors. Anytime two devices are connected through the internet, ICMP can be used to create errors that can go from the receiving device to the sending device if some of the data did not arrive as expected. For example, extremely large packets of data may be too big for a router to manage. In that case, the router will discard the data packet and transmit an ICMP message to the sender informing it of the issue.
Another common use of ICMP is as a diagnostic tool to assess a network’s performance. Both traceroute and ping use ICMP. Traceroute and ping are messages sent regarding whether data was successfully transmitted. When traceroute is used, the devices that a packet of data went through to get to its destination are displayed in the report. This includes the physical routers that handled the data.
The traceroute also tells you how much time it took for the data to go from one device to another. Each time data goes between routers, the trip is referred to as a hop. The information revealed by the traceroute can be used to figure out which devices along the route are causing delays.
A ping is similar to a traceroute but simpler. It reports how long it takes for data to go between two points. ICMP facilitates ping in that the ICMP echo request and echo reply are used during the ping process.
ICMP is also used to hurt network performance. This is done using an ICMP flood, a Smurf attack, and a ping of death attacks that overwhelms a device on the network and prevent normal functionality.
How Does ICMP Work?
ICMP is different from Internet Protocol (IP) version 6 or IPv6 in that it is not associated with Transmission Control Protocol (TCP) or User Datagram Protocol (UDP). As a result, there is no need for a device to connect with another prior to sending an ICMP message.
For example, in TCP, the two devices that are communicating first engage in a handshake that takes several steps. After the handshake has been completed, the data can be transferred from the sender to the receiver. This information can be observed using a tool like tcpdump.
ICMP is different. No connection is formed. The message is simply sent. Also, unlike with TCP and UDP, which dictate the ports to which information is sent, there is nothing in the ICMP message that directs it to a certain port on the device that will receive it.
How Is ICMP Used in DDoS Attacks?
In a DDoS attack, ICMP is commonly used in a few different ways: through an ICMP flood attack, a ping of death attack, or a Smurf attack.
In an ICMP flood attack, the attacker tries to send so many pings that the device being targeted cannot handle all the ICMP echo request packets. Because each packet requires processing and a response, this drains the device’s resources, preventing legitimate users from being served by the device.
A ping of death attack involves an attacker sending an extremely large ping to a device that cannot handle pings of that size. The machine may then crash or freeze up. The packet of data is fragmented as it heads toward the target, but during the reassembly process, it is put back together. When it reaches the target, there is a buffer overflow, causing the device to malfunction. Ping of death attacks are more a danger for older equipment within the network.
In a Smurf attack, the attacker transmits an ICMP packet that has a spoofed or faked IP address. When the equipment on the network replies, each reply gets sent to the spoofed IP address, and the target is flooded with a ton of ICMP packets. This kind of attack is also typically only a problem for older equipment.