What is Internet Control Message Protocol (ICMP)?

The Internet Control Message Protocol (ICMP) enables network devices to report errors and test connectivity across networks. When a router can’t deliver a packet, when network paths become congested, or when packet sizes exceed transmission limits, ICMP carries these status messages back to the source.

Network administrators use ICMP-based tools such as ping and traceroute to diagnose network connectivity issues and measure network performance. However, there are security risks related to ICMP that are important to know about.

What is ICMP, and what is it used for?

ICMP is a supporting protocol in the Transmission Control Protocol (TCP) / Internet Protocol (IP) suite that helps network devices communicate errors, test connectivity, and report issues like unreachable destinations or expired packet lifespans, without establishing connections like TCP does.

1. Error reporting

The most common use for ICMP is error reporting. When you send data across the internet, ICMP works as a feedback system. For example, if a data packet exceeds the maximum transmission unit (MTU) size that a network segment can handle, the router discards the packet and sends an ICMP message back to your device to report the problem.

2. Network diagnostics

ICMP forms the backbone of two common network diagnostics utilities: traceroute and ping.

Traceroute maps the actual path your data takes to reach a destination, which is a series of hops between routers. It shows you each hop and measures the time it takes to travel between them, helping to pinpoint sources of network delay.

Ping is a simpler tool that works like sonar. It uses ICMP’s Echo Request and Echo Reply messages to measure the total round-trip time for a packet to reach a destination and return. This is a quick way to gauge a connection’s latency.

3. Network security

Network administrators use ICMP for security monitoring. Firewalls can be configured to inspect ICMP messages, permitting legitimate traffic while blocking suspicious requests. By tracking ICMP traffic, administrators monitor the status and connectivity of network devices. This helps them spot unusual patterns or detect unauthorized devices, which can be early indicators of malicious activity.

Why ICMP is essential in IP networks

ICMP is the internet’s status and error channel; it’s what keeps your network running. Without it, a router can't tell a computer when packets get lost, network admins can't diagnose connection problems, and data packets might fragment incorrectly across different network paths.

ICMP travels with IP at the network layer (Layer 3) of the Open Systems Interconnection (OSI) model. This layer is the network’s “shipping department,” responsible for addressing and routing packets. ICMP doesn't carry your actual data, as that's IP's job. Instead, it sends control messages between network devices to report errors and share operational information. When something goes wrong with packet delivery, ICMP is how routers and hosts communicate the problem back to the source.

ICMP messages fall into two categories: error reporting and queries. Error messages tell you when packets can't reach their destination or when they've expired in transit. Query messages help with diagnostics, like checking if a device is reachable or measuring latency.​

How ICMP works

Unlike transport protocols like TCP and User Datagram Protocol (UDP), ICMP is connectionless. TCP, for example, establishes a reliable connection through a digital “handshake” before transmitting data. ICMP skips this step and sends one-way messages without any prior setup.

Another major difference is that ICMP doesn’t use ports. Protocols like TCP and UDP operate at the transport layer (Layer 4) and use port numbers to direct traffic to specific applications on a device (for example, port 443 for web traffic to a browser).

As mentioned, ICMP operates at the network layer, and its messages are intended for the operating system’s network software itself, not for a specific user application. For example, an error message like “Destination Unreachable” needs to be processed by the OS, not by your web browser. Because ICMP communicates between operating systems and network devices, ports aren’t needed.

Here’s the typical sequence of an ICMP message:

1. A device sends a data packet across the network.
2. If a router or host encounters an error, like an unreachable destination, the device that detects the failure generates an ICMP error message.
3. This message is sent back to the sender to inform them of the problem.

This simple feedback loop allows you to detect whether a device is online, measure how long it takes for packets to arrive, and identify any routing errors.

ICMP packet structure

ICMP messages are sent as datagrams encapsulated within IP packets. This means an ICMP packet’s structure consists of a standard IP header, which routes the packet across networks, followed immediately by the ICMP header and its payload (the variable data).

The ICMP section includes an 8-byte fixed header, optional fields, and a payload. This payload varies based on the message’s purpose, carrying items like error details or test data. The total payload size is constrained to keep the packet compact:

• IPv4: Up to 576 bytes
• IPv6: Up to 1,280 bytes

The fixed header contains three primary fields in its first 32 bits:

• Type (8 bits): This categorizes the message's general purpose, such as signaling an Echo Request (to check if a device is reachable) or reporting a destination as unreachable.
• Code (8 bits): This refines the type by providing specifics. For example, if the type is “Destination Unreachable,” the code might indicate why: network issues (Code 0), host problems (Code 1), or protocol errors (Code 2).
• Checksum (16 bits): This is a calculated value that verifies the entire ICMP message's integrity, allowing the receiver to detect corruption that may have occurred during transmission.

After these initial 32 bits, the header may include 32 more bits for type-specific data, like a pointer to the problematic byte in an original IP packet for error diagnostics. For echo messages, this area holds an identifier (to match requests and replies) and a sequence number (to track order in a series of pings).

ICMP message types

ICMP defines dozens of message types, but common types handle most network communication:

• Type 0 (Echo Reply) and Type 8 (Echo Request) power the ping utility.
• Type 3 (Destination Unreachable) tells you when packets can't reach their target.​
• Type 5 (Redirect) suggests better routes through the network.
• Type 11 (Time Exceeded) indicates packets that expired before reaching their destination, typically because their time-to-live (TTL) counter hit zero.
• Types 13 and 14 handle timestamp requests and replies, which can reveal system time and uptime information.​

Diagnostic tools using ICMP

Network engineers use ICMP-based tools daily to verify connectivity, measure latency, and trace routing problems. These utilities form the foundation of network troubleshooting.​

Ping: How it uses ICMP

The ping command is an important first step in network troubleshooting. It sends an ICMP Echo Request to a target device to verify a connection. By measuring the round-trip time it takes to receive an Echo Reply, you can quickly determine if a host is reachable and assess network latency.

If the replies are slow, it signals high latency. If they don’t come back at all, it indicates packet loss or a connectivity failure. This simple test provides immediate feedback, making it an indispensable tool for rapidly diagnosing network issues.

Here’s how it works in practice. Let’s say you want to check your connection to the ExpressVPN website. You can open a command prompt in the terminal and type ping expressvpn.com (the command is the same on Windows, macOS, and Linux). If the path is clear, you’ll see a series of replies. Each one confirms that the server is reachable and displays the round-trip time in milliseconds (ms), showing exactly how fast your connection to the server is.

Traceroute: Following the packet path

While ping tells you if you can reach a destination, traceroute shows you the exact path your data takes to get there. Its main purpose is to map the journey your packets take across the internet, hop by hop, which is useful for pinpointing the exact location of a network delay or failure.​

The tool sends out a series of ICMP messages with a deliberately limited lifespan, set by a TTL value. The first packet is sent with a TTL of 1, which means it expires after reaching the very first router in the path. That router sends back an ICMP “Time Exceeded” message, revealing its identity.

Traceroute then sends another packet with a TTL of 2, which reaches the second router, and continues this process with each subsequent router. Listing all the routers that respond to it builds a complete map of the route.

To trace the route to expressvpn.com, for example, you would type tracert www.expressvpn.com in the Windows Command Prompt. On macOS or Linux, the command is traceroute www.expressvpn.com. This command will list all the routers the packet passes through to reach the destination.

Network performance monitoring

Continuous ICMP monitoring helps track network health over time. Automated systems send regular pings to critical devices, measuring availability and latency trends. Sudden changes in response times can signal developing problems before users notice an issue.​

Performance monitoring tools analyze ICMP data to identify degraded links, overloaded routers, and failing equipment. They establish baseline metrics for normal network behavior, then alert administrators when measurements deviate significantly.​

Some organizations disable ICMP to reduce attack surface, but this eliminates valuable monitoring capabilities. For example, you lose visibility into path MTU discovery failures, which rely on ICMP messages (like “Packet Too Big”) to determine the largest packet size a connection can handle. If you block these messages, devices can’t learn the correct packet size, which can cause connections to stall or fail.

ICMP security risks

The same protocol characteristics that make ICMP useful for troubleshooting create opportunities for exploitation.​

Common ICMP-based attacks

Before launching an attack, hackers often scout a network to discover which devices are online and identify the most promising targets.

There are several types of attacks that exploit ICMP vulnerabilities:

• ICMP flood: An ICMP flood overwhelms a target with Echo Request messages, so the device wastes CPU and bandwidth on replies, leading to service loss.
• Smurf attack: A Smurf attack uses spoofed ICMP Echo Request messages sent to an IP broadcast address, so many hosts respond to the victim, amplifying traffic.
• ICMP tunneling and data exfiltration: Attackers wrap unauthorized data in what looks like normal ping traffic.

ICMP configuration and best practices

Configuring ICMP requires setting rules on your firewalls and routers. The goal is to allow helpful diagnostic messages while blocking potential risks. Best practices include:

Allow necessary traffic

• Don’t blanket-block ICMP traffic: Blocking the wrong types can break Path MTU Discovery and cause network failures.
• Filter by message type: Allow necessary messages like “Destination Unreachable” that are needed for network operations, but block risky types like “Redirect” that can be used to manipulate routing.
• IPv4: Allow “Destination Unreachable” messages, specifically the “Fragmentation Needed” signal.
• IPv6: Allow critical ICMPv6 types, such as “Packet Too Big” and Neighbor Discovery (Types 133–136). IPv6 can’t function correctly without these.

Block and restrict high-risk traffic

Your rules for ICMP traffic coming from the internet (inbound) should be much stricter than your rules for traffic leaving your network (outbound).

• Block risky message types: Block messages that offer little benefit and high risk. These include inbound “Timestamp” requests, which can leak system information, and “Redirect” messages, which attackers can use to misdirect your traffic.
• Disable directed broadcasts: Confirm your routers don’t forward directed broadcasts. This setting prevents your network from being used as an amplifier in a Smurf attack.

Apply rate limiting and filtering

• Rate-limit ICMP: This setting prevents your router from being used as a weapon in a distributed denial-of-service (DDoS) attack. By limiting the number of ICMP replies it sends, you confirm it can’t be used to flood a victim with traffic, while still allowing for legitimate network diagnostics.
• Protect the control plane: Use control-plane policing to specifically cap the amount of ICMP traffic allowed to reach your device’s CPU.
• Stop spoofing at the edge: Enforce BCP 38/84 ingress filtering or unicast Reverse Path Forwarding (uRPF). These tools help prevent floods by preventing forged source addresses from entering or leaving your network.

Monitor and alert

Create rules to flag suspicious activity. This includes high rates of echo traffic, packets with unusual payload sizes, or long-duration flows that may indicate data tunneling.

ICMPv4 vs. ICMPv6: Key differences

IPv4 and IPv6 aren’t compatible; they create two separate channels for network data. Your network likely uses both, so a secure connection requires protecting ICMP traffic on both protocols. Failing to secure one channel can create a gap that exposes your data.

Protocol evolution

ICMPv4 emerged in 1981 as part of the original IP protocol suite. It was designed for a simpler internet, where its primary job was to report errors and run basic diagnostics like ping tests. For decades, this version served networks reliably, becoming the backbone of network troubleshooting.

ICMPv6 arrived alongside IPv6 to address the limitations of its predecessor. Rather than just adapting the old protocol to work with new IP addresses, developers reimagined what ICMP could do. The result is a more capable protocol that handles not just error reporting, but also other operations that previously required separate protocols.

The transition reflects the broader evolution of the internet, from a research network to the complex ecosystem we navigate today. ICMPv6 was built with modern networking demands in mind, including better efficiency and more sophisticated device communication.

Functional enhancements in ICMPv6

ICMPv6 does more than report errors; it actively manages network connections. Its Neighbor Discovery feature, for instance, replaces the older Address Resolution Protocol (ARP) to let devices on your network find each other more securely and efficiently.

It also adds Stateless Address Autoconfiguration (SLAAC), allowing devices to get an IP address without a central server. Think of it like your phone knowing its own address in a new network without asking. This is convenient, but it has privacy implications, as the resulting address can expose your device's unique hardware ID, allowing it to be tracked across different networks.

Beyond these, ICMPv6 also consolidated multicast operations and improved error detection. While these enhancements make ICMPv6 more capable, they also mean the protocol carries more sensitive data about your network’s structure and devices; details that could be exposed if not properly secured.

Compatibility and migration concerns

The big challenge is that ICMPv4 and ICMPv6 operate on different IP versions, which means networks running dual-stack configurations (both IPv4 and IPv6) must handle both ICMP versions simultaneously. This creates management complexity and potential security gaps.

Many networks are still in transition, running IPv4 as their primary protocol while gradually implementing IPv6 support. During this phase, both ICMP versions remain active, doubling the potential attack surface for privacy breaches. Making sure your security tools cover both protocols is good practice and necessary for complete protection.

The good news is modern VPN services account for these complexities, routing and protecting both ICMP versions to keep your network activity private regardless of which protocol your connection uses.

ICMP and developers

Knowing how to use ICMP is important if you're developing network applications or diagnostic tools. ICMP functions at a lower level of the network stack than other web protocols, so developers must implement it differently.

Using ICMP in applications and sockets

Unlike high-level protocols like HTTP, ICMP requires raw sockets. A raw socket is a special programming interface that bypasses the operating system's normal network services. It allows an application to build the entire network packet manually, piece by piece, directly at the IP level.

For example, to create a ping, the app must manually construct a Type 8 (Echo Request) packet. Because this low-level access can be used to forge packets, using raw sockets almost always requires elevated (root or administrator) privileges.

Operating systems automatically handle and respond to echo requests as part of their network stack, so no special server application is needed. Your application, however, must have specific error-handling logic for timeouts and “Destination Unreachable” replies, allowing it to report the failure to the user and continue its operation, as firewalls often filter or rate-limit ICMP.

Filtering ICMP

ICMP operates at Layer 3 and doesn’t use Layer 4 ports, which has direct implications for developers and administrators because you can’t filter ICMP traffic by port number on a firewall.

Therefore, security rules must be written to filter based on ICMP’s Type and Code fields. For example, to block ping requests, you must create a rule to drop ICMP Type 8 (Echo Request), not a rule to block a port.