Your IP: Unknown · Your Status: ProtectedUnprotectedUnknown

Skip to main content

What is the ICMP (Internet Control Message Protocol)?

The ICMP (Internet Control Message Protocol) is a protocol used by devices to diagnose network communication problems. Network administrators commonly use it to determine whether networks work properly, but it can also be abused by hackers to launch DDoS attacks.

What is the ICMP (Internet Control Message Protocol)?

Table of Contents

Table of Contents

What is the ICMP?

Internet Control Message Protocol definition

The Internet Control Message Protocol is a network layer protocol used by network devices, including (but not limited to) routers. It allows devices to communicate network errors and is commonly used in network diagnostics to troubleshoot and report various problems.

A typical ICMP message is a piece of data that consists of two main parts: the ICMP header and the ICMP data. The ICMP number is 1, which means that ICMP packets are identified by the number 1 in the ICMP header section.

The header also contains important information (parameters), such as message types. For example, ICMP Type 0 is used for echo replies, while Type 3 is for unreachable destinations.

In the OSI model, the ICMP occupies Layer 3, which is the network layer. This layer is responsible for routing and forwarding data packets.


The Internet Control Message Protocol differs from other protocols:

  • Unlike the TCP or UDP, ICMP doesn’t require an established connection to send messages. Other protocols might need to form a connection to check if both devices are ready to communicate.
  • ICMP ports are not a thing. This protocol doesn’t use them, and no ports are associated with ICMP.

What is the function of the Internet Control Message Protocol (ICMP)?

The Internet Control Message Protocol is widely used in network diagnostics and cybersecurity. Its primary function is to report network problems. If a device sends a data packet, which is then received by a router but rejected for some reason (such as the packet being too large or otherwise faulty), the router sends back an ICMP message reporting the error.

The ICMP helps determine the status of the network and check whether devices can exchange data in a correct, timely manner. Two popular ways to do this are the traceroute utility and the ping command. You can test them and see how they work using your computer’s command prompt.

Both the traceroute and ping commands send ICMP packets to a specific destination and tell the user whether and how quickly the packets reached their destination.

  1. The traceroute tool is a bit more detailed. It returns information about the data’s travel path, i.e., all the connected routers through which ICMP packets had to “pass” to reach their destination, and the time required to transmit data between each of them.
  2. The ping utility is more simplistic. It measures how fast an ICMP packet can travel to a specific destination and trigger a response.

Administrators use both ICMP function types to test networks and find potential causes of errors. If the network doesn’t work properly, these tools are often used first to determine exactly where (at which stage of the data journey) the problem occurs.

However, the ICMP can also be used to launch DDoS attacks. Read on to learn more about how hackers abuse this protocol.

How does the ICMP work?

Unlike some other protocols, ICMP doesn’t require an established connection for a device to send a message. This is why it’s called a “connectionless protocol.” Some other protocols, such as TCP, require multi-step “handshakes” to establish a connection before they can communicate.

We’ll take a look at what ICMP in networking may look like, using the ping command as an example:

  1. When a ping command is sent, the device sends an ICMP echo request to the target.
  2. If the target receives it, an ICMP echo reply message is sent back.
  3. The ping tool measures and reports the time it takes to receive this response.
  4. If, for some reason, the target had to discard the ICMP echo request packets, it would send back a message reporting the problem.

How is the ICMP used in DDoS attacks?

The Internet Control Message Protocol is one of the most important protocols, but hackers can abuse it to launch DDoS attacks.

A DDoS attack is a type of attack in which a hacker floods their target with tons of data. Such heavy traffic often overloads networks and machines, causing them to slow down or crash, rendering them useless.

ICMP flood attack

An ICMP flood attack (ping flood attack) uses the ping function of the ICMP. In this attack, the attacker floods their target with a massive number of ICMP echo requests.

The Internet Control Message Protocol requires the target machine to respond to each request by sending echo reply messages. Each response takes up a tiny portion of the computer’s resources and network bandwidth. If there are thousands or millions of echo requests, the target device can become overloaded and crash.

Hackers carrying out ICMP flood attacks often use botnets – networks of computers previously infected with malware to perform actions without the users’ knowledge.

Ping of death

The ping of death is an obsolete attack that also used the ping tool but in a more “sophisticated” way than the ICMP flood. In this case, the attacker would send manipulated fragmented ICMP packets that were small but became much larger when reassembled by the target machine.

Each IPv4 packet must be 65,535 bytes or smaller. This also applies to ping messages. However, hackers can “cut” their malicious packets to exceed the size limit when reassembled by the target machine. If this happens, the device – which is not designed to handle data packets larger than 65,535 bytes – will crash.

Smurf attack

A smurf attack is similar to an ICMP flood attack, but in this case, the attacker uses a spoofed IP address. Here’s how it works:

  1. The hacker obtains the IP address of their victim and uses it to send tons of echo requests to a large computer network.
  2. The devices that receive them send their echo responses, but because the first ICMP message had a forged header with a stolen IP address, the responses are sent to the victim.
  3. If there are many requests, the victim gets flooded with malicious traffic.

Are there any benefits of the ICMP?

Even with the possible misuse, the ICMP is still crucial for the entire internet. Its functionalities serve as diagnostic tools for cybersecurity experts and network administrators, enabling network diagnostics and troubleshooting. Many network monitoring solutions use the ICMP protocol.


Is the ICMP the same as a ping?

The ICMP is a network layer protocol, and the ping command is one of its functions. The ping tool allows users to quickly check whether their data packets are reaching their destination and how long they take to receive a response.

How does the ICMP ping work?

The ping command sends an ICMP echo request to the target device. If the device receives it, it sends back an ICMP echo reply. The ping utility measures the time between sending the request and receiving the response.

What is the difference between ICMP and TCP?

The ICMP does not require an established connection to send messages, while TCP must perform a “handshake” before allowing communication between devices. The ICMP also doesn’t allow targeting specific ports.