Introduction to ICMP Protocol

•Definition: Internet Control Message Protocol

(ICMP) is a network layer protocol used for error
messages and operational information.
•Purpose:
•Diagnostics
•Error reporting
•Network performance insights

•Position in the OSI Model: Network Layer (Layer 3)

• The primary RFC for ICMP (Internet Control
Message Protocol) is:
• RFC 792: Internet Control Message Protocol
(published in 1981).
This RFC specifies the ICMP protocol used with
IPv4. It describes the structure of ICMP messages
and their purpose in network diagnostics and
error handling.
• For ICMP used with IPv6, the relevant RFC is:
• RFC 4443: Internet Control Message Protocol
(ICMPv6) for the Internet Protocol Version 6
(IPv6) Specification (published in 2006).
It outlines the modifications and additional
message types specific to IPv6 networks.
 ICMP Features
•Operates as a supporting protocol for IP.
•Communicates control information between
devices.
•Lightweight and simple protocol.
•Used by tools like ping and traceroute
 ICMP Packet Format
•Type (8 bits): Specifies the type of ICMP message.
Example: Type 8 = Echo Request, Type 0 = Echo Reply.

•Code (8 bits): Provides additional information about the message type.

Example: Code 3 (Destination Unreachable).

•Checksum (16 bits): Ensures data integrity.

•Rest of Header: Contains specific fields based on the message type.

•Data: Contains additional information or payload for diagnostic purposes.

Field Bits
Type 8
Code 8
Checksum 16
Rest of Header Variable
Data Variable
 ICMP Echo Messages

•Type 0: Echo Reply

Response to an Echo Request.

Used in the ping utility.

•Type 8: Echo Request

Request to test reachability and measure round-trip time.

Sent by the ping utility.

 Destination Unreachable
• Type 3: Destination Unreachable Indicates
that a destination is unreachable for various
reasons.
• Subtypes (Codes):
• 0: Network Unreachable
• 1: Host Unreachable
• 2: Protocol Unreachable
• 3: Port Unreachable
• 4: Fragmentation Needed (and DF set)
• 5: Source Route Failed
 ICMP Echo Request (Type 8, Code
0)
Field Name Value Explanation
Indicates this is an Echo
Type 8 (Echo Request)
Request packet.
Echo Request has a Code
Code 0
value of 0.
Ensures data integrity of
Checksum 0x12c8 (varies)
the packet.
Used to match requests
Identifier 0x1c46
and replies.
Tracks the order of ICMP
Sequence Number 1
packets.
000102030405… (56
Data Test payload (can vary).
bytes payload)
 ICMP Echo Reply (Type 0, Code
0)
Field Name Value Explanation
Indicates this is an Echo
Type 0 (Echo Reply)
Reply packet.
Echo Reply always has a
Code 0
Code value of 0.
Ensures data integrity of
Checksum 0x19e8 (varies)
the packet.
Matches the Echo
Identifier 0x1c46
Request identifier.
Matches the sequence
Sequence Number 1
number of the request.
000102030405… (56 Test payload (same as
Data
bytes payload) Echo Request).
 ICMP Destination Unreachable:
Network Unreachable (Type 3,
Code 0)
• Scenario: A device sends a packet to a destination IP
address, but the router does not know how to reach the
target network (no route to the network).

Field Value Explanation

Indicates the packet is
3 (Destination
Type reporting an
Unreachable)
unreachable destination.
The network is
0 (Network
Code unreachable, no route
Unreachable)
available.
Reserved, always set to
Unused 0x00000000
zero.
IP Header + first 8 bytes Contains details of the
Data
of the original packet original packet.
 ICMP Destination Unreachable:
Host Unreachable (Type 3, Code 1)
• Scenario: A packet is sent to a specific host on a
reachable network, but the host is not reachable (e.g.,
the host is offline or unreachable due to routing issues).

Field Value Explanation

Indicates the packet is
3 (Destination
Type reporting an
Unreachable)
unreachable destination.
The destination host is
Code 1 (Host Unreachable)
unreachable.
Reserved, always set to
Unused 0x00000000
zero.
IP Header + first 8 bytes Contains details of the
Data
of the original packet original packet.
 ICMP Destination Unreachable:
Protocol Unreachable (Type 3, Code 2)
• Scenario: A packet is sent to a host, but the requested
protocol (e.g., UDP or TCP) is not supported on the
destination device.

Field Value Explanation

Indicates the packet is
3 (Destination
Type reporting an
Unreachable)
unreachable destination.
The requested protocol
Code 2 (Protocol Unreachable)
is unsupported.
Reserved, always set to
Unused 0x00000000
zero.
IP Header + first 8 bytes Contains details of the
Data
of the original packet original packet.
 ICMP-Based Attacks
• Ping Flood The attacker sends a large number of ICMP
Echo Requests (ping packets) to overwhelm a target
system's resources. The target must reply to each
request with an Echo Reply, exhausting CPU, memory,
or bandwidth.
• Effect:
• Causes resource exhaustion on the target system.
• Consumes network bandwidth.
• May slow down or crash the target.
• hping3 --flood -1 <target-ip>
• --flood: Sends packets as fast as possible.
• -1: Specifies ICMP mode.
 ICMP-Based Attacks
• Ping of Death: The attacker sends a
malformed or oversized ICMP Echo Request
packet that exceeds the maximum allowable
size (65,535 bytes for IPv4). Older systems
may crash, freeze, or behave unpredictably
when processing such packets.
• Effect:
• Exploits vulnerabilities in target systems.
• Causes crashes, reboots, or kernel panics.
• Attack: hping3 -c 1 -d 65540 -E /dev/urandom -1
<target-ip>
• -c 1: Sends a single packet.
• -d 65540: Specifies payload size exceeding 65,535 bytes.
• -E /dev/urandom: Includes random payload data.
 ICMP-Based Attacks
• Smurf Attack: The attacker spoofs the source IP
address of the ICMP Echo Request packet to appear as
if it is coming from the victim. The request is sent to a
broadcast address, causing all devices in the network
to reply to the victim.
• Effect:
• Amplifies traffic, causing resource exhaustion on the victim.
• A single attacker can generate massive traffic using this
amplification technique.
• hping3 --icmp -c 100 –spoof <spoofed-source-ip> 192.168.1.255
• --icmp: Sends ICMP Echo Request packets.
• -a <spoofed-source-ip>: Spoofs the source IP as the victim.
• -c 100: Sends 100 packets.
• --spoof <broadcast-address>: Sends requests to the broadcast address (e.g.,
192.168.1.255).
Attack Type Mechanism Impact Amplification
Floods the target
Resource
Ping Flood with ICMP Echo No amplification.
exhaustion (DoS).
Requests.
Sends malformed Crashes or
Ping of Death or oversized ICMP destabilizes No amplification.
packets. target.
Uses broadcast
and spoofing to Amplifies traffic
Smurf Attack Yes, via broadcast.
amplify ICMP (DoS).
replies.