Securing Protocol Layers   «Prev 

Internet Control Message Protocol

The Internet Control Message Protocol (ICMP), defined in RFC 792, is an integral part of the TCP/IP protocol suite. It is utilized by network devices, such as routers, to send error messages indicating, for instance, that a requested service is not available or a host or router could not be reached. While ICMP is fundamental for network diagnostics and troubleshooting, it also poses several vulnerabilities that can be exploited for nefarious activities.
  1. ICMP Flood (Ping Flood) Attack: In this type of Denial-of-Service (DoS) attack, the attacker overwhelms the victim's network or devices with ICMP Echo Request (Ping) packets. This excessive traffic can consume bandwidth, processing resources, or both, rendering the victim's system unresponsive to legitimate requests.
  2. ICMP Redirect Attack: In this attack, an adversary uses ICMP Redirect messages to alter the routing tables on the victim host. This enables the attacker to intercept packets intended for another host (Man-in-the-Middle attack) or send them in a loop (creating a DoS condition).
  3. ICMP Tunneling: ICMP tunneling can be used to encapsulate one protocol inside another. This can be a legitimate operation, such as when data is sent over an ICMP network for legitimate purposes, but it can also be used by attackers to send malicious data or bypass firewalls undetected.
  4. Ping of Death: An old, yet noteworthy attack, where the attacker sends malformed or oversized ICMP packets to crash or freeze the target system. However, most modern systems are now immune to this attack.
  5. Smurf Attack: An attacker uses a network vulnerability to make it appear that a ping packet is coming from another host (IP spoofing). The network amplifies the ping request to all devices on the network. When all those devices reply to the spoofed IP, it results in a significant traffic flood that can cause a DoS condition.
These vulnerabilities underline the importance of securing and managing ICMP traffic properly within a network. Network administrators should implement security measures, such as configuring firewalls to filter ICMP messages, conducting regular network audits, and deploying intrusion detection systems (IDS) to detect and mitigate ICMP-based attacks. Employing such strategies can greatly reduce the potential impact of attacks using the ICMP protocol.

Well-publicized ICMP Attack

A well-publicized ICMP attack occurred with the Microsoft TCP/IP stack.
A hacker generated a very specialized ICMP message in the form of a ping request. Any computer running earlier versions of the TCP/IP stack would not be able to properly address the modified ICMP request and would crash. The industry labeled this type of attack a Winnuke attack, after the program Winnuke, which issued this type of ICMP message.
To this day, the Microsoft Web site does not respond to pings because Microsoft has filtered all ICMP requests to the Web servers. Many companies now filter ICMP traffic at their firewalls.


ICMP is a network protocol useful in Internet Protocol (IP) network management and administration and is a required element of IP implementations. ICMP is a control protocol, meaning that it does not carry application data, but rather information about the status of the network itself. Furthermore, ICMP can be used to report:
  1. errors in the underlying communications of network applications
  2. availability of remote hosts
  3. network congestion