Introduction
Most people know ICMP as the protocol behind ping. Send an echo request, get an echo reply, measure the round-trip time. That is useful, but it only scratches the surface. ICMP is a diagnostic and error-reporting protocol that routers and hosts rely on constantly to communicate problems back to senders. Understanding it thoroughly changes how you read network traffic and think about security.
Two Categories of ICMP Messages
ICMP messages fall into two broad categories. The first is request/reply messages, where you send something and expect a response back. The classic example is ping, you send an echo request and receive an echo reply. Timestamp and address mask requests follow the same pattern.
The second category is error messages. These are one-directional, a router or host sends them to report a problem, and they do not generate a reply of their own. Examples include destination unreachable, time exceeded, and need to fragment. Each message type has a type number and a code that narrows down the specific situation.
Common ICMP Message Types
Port unreachable (type 3, code 3) is sent by a host when a UDP packet arrives at a port where no service is listening. Unlike TCP, which responds to a closed port with a RST, UDP has no connection setup, so ICMP carries that signal instead. This is the basis of UDP port scanning: send UDP packets and watch for port unreachable messages to identify closed ports.
TTL exceeded (type 11, code 0) is sent by a router when it has to discard a packet because the TTL field has reached zero. Every router along a path decrements the TTL by one. If it hits zero, the packet is dropped and this message is sent back to the original sender including the original packet's IP header. This is exactly what traceroute exploits, by sending packets with artificially low TTLs, you can discover each router along the path one hop at a time.
Admin prohibited (type 3, code 13) is sent when a router's access control list blocks the traffic. It tells the sender their packet was refused by policy, though it does not explain why. Need to fragment (type 3, code 4) is sent when a router has to fragment a packet but the don't-fragment flag is set. It includes the MTU of the bottleneck link, which TCP uses for path MTU discovery to avoid fragmentation in the future.
ICMP Error Message Payloads
All ICMP error messages include the original IP header plus the first 8 bytes of the discarded packet's data. This is intentional, it gives the receiving host enough information to identify which packet caused the problem, including the source and destination ports if the embedded protocol was TCP or UDP. It is like getting a returned package with a copy of your original shipping label.
ICMP for Network Mapping
Because different ICMP messages come from different sources, they reveal useful information about network topology. Host unreachable messages come from the router directly attached to the destination subnet, only that router can ARP for the target and confirm no host responds. Network unreachable messages come from earlier routers that have no route to the destination at all. Admin prohibited messages tell you where traffic is being filtered and what type of traffic is affected.
An attacker doing reconnaissance can learn a lot just by observing ICMP responses. Port unreachable messages identify closed UDP ports. Host unreachable messages map the edge of a network. Even the absence of a message, when a firewall silently drops traffic, is information, because it forces TCP to time out slowly rather than fail fast.
ICMP Tunneling and Abuse
ICMP can be abused in several ways. The Smurf attack exploits broadcast pings, an attacker sends ping requests to subnet broadcast addresses using a spoofed source IP, causing every host on that subnet to send a reply to the victim. One small packet sent to a broadcast address generates hundreds of replies aimed at the target. Windows machines no longer respond to broadcast pings by default, largely because of this.
ICMP tunneling tools like Loki hide arbitrary data inside ICMP messages. An attacker who has compromised a system can use ICMP echo requests and replies to exfiltrate data or issue commands, because many firewalls allow ICMP through while blocking TCP and UDP on non-standard ports. The payload of a ping is not fixed, anything can go in there.
TFN (Tribe Flood Network) took a similar approach. It used ICMP echo replies to deliver commands to compromised machines in a botnet. Echo replies were preferred over requests because firewalls more often allow replies inbound, particularly if the policy allows internal hosts to ping external addresses and receive responses.
Should You Block All ICMP?
This is a common question. Blocking all ICMP sounds appealing from a security standpoint but causes real problems. Without host unreachable messages, TCP connections to dead hosts time out slowly instead of failing immediately, you experience that as a browser taking 30 or 40 seconds to give up instead of failing right away. Without need-to-fragment messages, path MTU discovery breaks and TCP connections crossing small-MTU links may stall.
A better approach is selective filtering. Block ICMP at the perimeter to prevent external reconnaissance, but allow it inside the network. At minimum, allow the need-to-fragment message type through, since blocking it breaks path MTU discovery for any links with a non-standard MTU. Blocking all ICMP wholesale causes subtle problems that are hard to diagnose later.
Conclusion
ICMP is a diagnostic layer that sits beneath application protocols and reports on the health of the network. Its message types each serve a specific purpose, and those purposes have security implications in both directions. Understanding what each message means, when it is sent, what it reveals, and how it can be abused, gives you a much clearer picture of what is happening on a network.