This is probably the most comprehensive article on ICMP.

For the ICMP protocol, you may want to know the following:

• What is ICMP
• Why do we need ICMP?
• What are the types of ICMP messages?
• What does the ICMP message format look like?
• Which commands use ICMP?
• What are the kernel parameters for ICMP?
• The Problem with ICMP

With these questions, let’s answer them one by one.

1. What is ICMP

ICMP, the full name is Internet Control Message Protocol, the so-called control, is to perceive and control the network environment by issuing instructions, so it must work with a protocol that cannot perceive the network environment. This protocol is IP (including IPv4 and IPv6).

Therefore, ICMP is usually considered as a part of the IP protocol. It is encapsulated in the IP layer and transmitted using the IP protocol. Therefore, strictly speaking, ICMP is neither a network layer protocol nor a transport layer protocol, but a protocol between the two.

Its main function is to transmit network diagnostic information, which mainly includes two categories:

• One type is query messages: they are mainly used for querying and collecting information, such as collecting information about each router on the transmission path, whether the message transmitted this time has reached the destination, etc.
• The other type is error diagnosis messages: they are mainly used to diagnose network failures, such as why a transmitted message was discarded.

2. Why do we need ICMP?

We all know that the IP protocol is an unreliable protocol. If an error occurs during the transmission of an IP packet, such as checksum mismatch, congestion, timeout, etc., the IP packet will be discarded directly, and no further efforts will be made to correct it.

This is determined by a design principle of the IP protocol, that is, best effort. The advantage of this is that the IP protocol can be kept as simple as possible, and is only responsible for efficient data transmission, while more quality control is left to high-level protocols (such as TCP).

However, there are only a few protocols that can provide quality control at the upper layer, so there needs to be a protocol at the lower layer to assist IP in completing the necessary network quality management. The ICMP protocol was naturally proposed.

Through the ICMP protocol, when an IP packet error occurs, the upper-layer host or router that sends the IP packet does not know that an error has occurred in the lower layer. At this time, the lower-layer host or router can report the error information to the upper layer by sending ICMP packets, so that the upper-layer host or router can make adjustments.

However, it should be noted that ICMP can only provide certain types of error information reporting and cannot help the IP protocol become a reliable protocol. It can still do limited things, but it is sufficient for basic network quality management.

3. What does the ICMP message format look like?

As shown in the figure below, ICMP messages are encapsulated in IP datagrams for transmission.

The Protocol field in the IP header is 1, which means that the message carries an ICMP message. (This is just for illustration purposes, so the IP header is simplified.)

Looking further, the ICMP header is 4 bytes:

• Type: 1 byte, indicating ICMP messages of a larger type classification
• Code: 1 byte, indicating ICMP message of a smaller type classification (type subdivision)
• Checksum: occupies 2 bytes. The calculation method of ICMP checksum is similar to IP checksum, but the difference is that IP only checks the header, while ICMP checks the header + data part.

The ICMP data part that follows has different contents depending on the previous type and code fields.

4. What are the types of ICMP messages?

ICMP supports many message types, see the following table for details:

The type field refers to a large category, and the code field is further divided into several large and small categories.

The above may not be clear enough, so we will list them through the following two tables. Since there are too many types and some are very rare, we only list some common types here.

The first table: type table

Note: R indicates a query message, and E indicates an error message.

Furthermore, for each type, multiple subtypes can be subdivided according to the code field, see the second table:

The second table: Type breakdown table

Through these two tables, the meaning of each type of ICMP packet should be clear.

There is one thing that may not be easy to understand, so let me explain it in detail here:

(1) Source-side suppression

This is an error message. If a source host sends a data packet to a destination host quickly, but the destination host does not have time to process it, it will send this type of ICMP packet to the source host to remind the source host to slow down the sending speed.

(2) Redirection

This is an error message. If a source host sends an IP packet to the network, and a router in the path receives the IP packet and checks its routing table, it finds that it should not receive the packet (the packet needs to return along the original route, or the route is not the best), and then it sends this type of ICMP packet to the source host, reminding the source host to modify its routing table and route to another better router next time.

(3) Fragmentation is required but the no-fragmentation bit is set

This is error information. If a source host sets the DF bit in the header field of an IP packet to 1 before sending it, that is, "fragmentation prohibition bit = 1", it means that the packet is not allowed to be fragmented during transmission, but the maximum path MTU allowed by a router in the middle is smaller than the packet size, and fragmentation is required for transmission. However, due to the setting of the non-fragmentation bit, the router will discard the packet and send an ICMP packet carrying MTU information to the source host, reminding the source host that the size of the next packet should not exceed the MTU value.

This type of ICMP packet is usually used to discover the MTU value on the transmission path.

(4) TTL timeout

It is an error message. Timeout defines the maximum time a data packet can survive in the network. The TTL field in IPv4 and the Hop Limit field in IPv6 both indicate this meaning. They are integer values ​​that decrease with each router passed through. When they decrease to 0, the IP packet is considered to have timed out. Then the router that currently decreases to 0 will send an ICMP packet to the source host to notify it of a timeout error.

5. What commands reflect ICMP?

Users can make full use of these types of ICMP packets to diagnose network failures.

Therefore, some network diagnostic tools that use the ICMP protocol were born, among which the more well-known ones are ping and traceroute. These two tools use two types of ICMP messages:

• Ping uses query type messages
• traceroute uses error type messages

(1) ping

Ping uses the request message (type 8) and the response message (type 0) in the query message, mainly to query the connectivity of a certain network node. If the network is not connected, the specific problem will be notified in the response message with relevant error information, such as network unreachable, host unreachable, etc. Then the user can analyze which link has the problem based on this information.

The following figure shows the complete process of a ping packet:

It can be seen that through the encapsulation and decapsulation of each layer of the protocol stack, a ping packet is sent from one host to another, including a request packet and a response packet. If the target MAC address is unknown, it is necessary to send an ARP request first and then encapsulate it.

For more examples of using the ping command, please refer to this article: 10 commonly overlooked uses and troubleshooting tips for ping.

(2) traceroute

traceroute is a tool that comes with Linux-like systems. A similar tool on Windows is tracert. The two are slightly different. tracert uses ICMP message detection by default, while traceroute uses UDP by default, but can also use TCP/ICMP message detection.

Traceroute uses ICMP error messages to determine the following:

• Determine the router devices on the communication path between the two parties
• Determine whether the UDP packet successfully reaches the destination
• Discovering Path MTU

Determine the router devices on the path of the two communicating parties. This is achieved by using the ICMP message of the timeout type mentioned above. When traceroute sends an IP packet to the destination, it sets the TTL to 1 at the beginning. When passing through the first router, TTL -1 = 0 causes a timeout error. The first router replies with an ICMP timeout message, and the source host can know the information of the first router in the path. Then the TTL is set to 2, 3, 4, ... until it reaches the destination. In this way, each router along the way will reply to the ICMP timeout message to the source host, and traceroute can obtain all the router information.

However, please note that not all routers will return ICMP messages. For security reasons, most firewalls and routers with firewall functions enabled are configured by default not to return any ICMP messages. Administrators will also actively configure this. Therefore, using traceroute at this time may not necessarily obtain information about all routers.

Determine whether the UDP packet successfully reaches the destination. The above method can obtain router information, but it cannot determine whether the sent packet reaches the destination. Traceroute solves this problem by sending UDP packets. Because the available port number range of UDP packets is <3000, you can fill in a port number >3000 when sending UDP packets. In this way, if the packet does reach the destination, due to the port mismatch, a port unreachable ICMP message will be returned, and the source host can determine that the packet has indeed reached the destination.

Discover the path MTU. This has been mentioned above when talking about the "need to be fragmented but the no-fragment bit is set" type of message. Traceroute uses this type of message to confirm the MTU value between each router on the transmission path one by one.

For examples of using the traceroute command, please refer to this article: To troubleshoot network problems, be sure to master this tool.

(3) MTR

MTR stands for my traceroute. It is actually a better network troubleshooting tool than the above two, but it is not well-known because not many people use it. The reason why it is good is that it combines the features of ping, nslookup, and traceroute.

For detailed analysis on the installation and use of MTR, please refer to this article: This network troubleshooting tool is a magical tool!

(4) tcptraceroute

As the name suggests, this tool is based on TCP traceroute, that is, it uses TCP packets (specifically TCP SYN packets) to perform network detection instead of ICMP packets.

From the above we already know that traceroute -T uses TCP packets for detection, so tcptraceroute is actually equivalent to traceroute -T.

The reason for using TCP packets for detection is mainly because modern widely used firewalls, for security reasons, will intercept UDP packets and ICMP packets, but usually will not intercept TCP SYN packets. Therefore, using TCP packet detection can pass through most network devices, making the detection results more accurate.

6. What are the kernel parameters of ICMP?

The following figure summarizes the commonly used one, among which net.ipv4.icmp_echo_ignore_all is a parameter for disabling ping. There are several ways to disable ping. You can refer to this article: How to disable and enable ping in Linux.

If you are interested in other parameters, you can also take a look. If you don’t understand something, just check this picture.

7. ICMP Issues

The ICMP protocol is an assistant to the IP protocol and can provide relevant fault diagnosis and control information for the IP protocol. However, ICMP still cannot provide reliability for IP. The most common packet loss (router buffer overflow) does not trigger any ICMP information and can only be handled by other protocols such as TCP.

In addition, because ICMP can query the configuration information related to network devices and is easy to use, hackers prefer to use ICMP messages to construct attack messages. Therefore, many network devices will use firewalls to block ICMP messages, which makes it difficult for many diagnostic tools, such as the ones introduced above, to be used.

A common ICMP attack is an ICMP flood attack, which is a type of DDoS attack. Simply put, the attacker sends multiple ICMP echo packets to the broadcast address of a subnet, with the source address of the packet disguised as the IP address of the target host he wants to attack. Then the ICMP reply packets of all hosts in the subnet will be sent to the attacked host. The host will instantly receive a large number of ICMP reply packets, consuming a lot of resources. If it does not have time to process them, it will become paralyzed or unable to provide normal services.

The easiest way to solve ICMP flood attacks is to disable ping. As long as ping is disabled, no matter how many hive machines the hacker has, he will be helpless.