Internet Control Message Protocol (ICMP)

introductiontonetworking wireshark

The Internet Control Message Protocol (ICMP) is used by a machine to indicate success or failure when communicating with another machine.

  • πŸ’€ Host unreachable
  • πŸ”’ Port closed
  • ...

For instance, if someone tries to send a message using TCP to a closed port, then the server may respond with an ICMP message saying that the port is closed.

🐊️ Port: N/A (encapsulated within IP packets)

πŸ—ΊοΈ Used by: ping, traceroute...


  • 1 byte for "type"
  • 1 byte for "code"
  • 2 bytes for "checksum of the message"
  • 4 bytes for "additional/specific information"

Each code is associated with a type. Here are some of them (code: type). See Control Messages (ICMP) on Wikipedia

  • 0: echo reply
  • 3: destination unreachable
  • 5: redirect
  • 8: echo
  • 11: time exceeded

ICMP vulnerabilities

  • Echo request and reply ICMP

πŸ‘‰ The attacker send an echo request to check if the host is up. The attacker may further attack even if there is no reply, while assuming that the host is up, but the reply help in confirming it. πŸ’₯ DoS with a flood of echo requests. ➑️ Limit ICMP requests to specific hosts/subnets, as disabling them may be problematic.

  • ICMP unreachable

πŸ‘‰ Used in reconnaissance to gain information on the network (ex: open ports/services...). ➑️ Configure hosts to not respond, but it's not recommended.

  • ICMP mask reply

πŸ‘‰ The attacker ask an host about its subnet mask, and may use it to map an internal network. ➑️ Configure hosts to not respond. Mostly disabled by default on modern devices.

  • ICMP redirection

πŸ‘‰ Redirect traffic to a target host through a compromised device. πŸ’₯ MITM ➑️ Disable ICMP Redirect messages.

  • ICMP router discovery

πŸ‘‰ Add false routing entries to the routing table, so that the host send traffic to the wrong destination. ➑️ Disable ICMP router messages. Mostly disabled by default on modern devices.