Author: Frank Carius
Enterprise Architect / Partner – connect on LinkedIn
In the complex world of network communications, protocols such as TCP, UDP, and HTTP are widely and intensively used. However, one protocol is often – and in our opinion unfairly – neglected: the Internet Control Message Protocol (ICMP). Although it is less in the spotlight, ICMP plays a crucial role in the efficiency and stability of networks. However, its importance is often underestimated or actively restricted by blockades.
In this blog article, we take a look at the critical role ICMP plays in the network and the consequences of blocking this protocol.
What is the ICMP protocol?
Rimscout continuously collects certain network data and performs tests to better diagnose problems in the network and to measure the availability and performance of stations, e.g. routers or providers. This requires the ICMP protocol. However, during our network assessments, we encounter environments where ICMP is restricted or even completely blocked.
To understand the importance of ICMP, we will first look at the various other transport protocols. The TCP protocol is the backbone of the Internet Protocol and contains essential functions required for smooth communication between devices. ICMP packets play a crucial role in this. They often work in the background to keep traffic flowing. UDP, on the other hand, is used not only for DNS queries, but also for the transmission of audio and video packets. Packet loss can easily occur here. However, during assessment or monitoring, the assessor or administrator must be informed of the packet loss with a meaningful error message.
This is where ICMP comes into play. It works at the lower level of the IP stack to exchange status and error messages between devices on the network, reporting unreachable destinations or network congestion. In addition, ICMP interacts with the previously mentioned TCP and UDP transport protocols by sending error messages for data packets that have not been delivered.
Four reasons for ICMP in the TCP/IP Protocol
In the next step, we will take a closer look at why ICMP is so important to the TCP/IP protocol and how it supports various aspects of network communication:
- 1
Timeout
When a sender does not receive a response to a packet it has sent, a timeout is triggered and the missing packets are retransmitted. This is time-consuming, delays connection establishment, and also makes troubleshooting and performance measurement more difficult if no error messages are sent via ICMP.
- 2
Fragmentation
Not all transmission paths support large packet sizes, such as an Ethernet packet of 1541 bytes. If this packet exceeds the maximum size, a router must send an “ICMP Size Exceeded” packet so that the sender or a router can reduce the packet size by fragmenting the packet. If this ICMP response is not received, the connection may be interrupted or, in the worst case, not established.
- 3
Time-to-Live (TTL)
TTL counts the hops of a communication to a destination by counting down a counter with each station. When the TTL counter expires, the router sends a “TTL Exceeded” packet back to the sender via ICMP. If the packet is discarded by the router when the counter is reached and no information is sent back via ICMP, this makes troubleshooting more difficult for the sender.
- 4
Service not available
It is not always a wrong IP address, an unreachable network, or an unavailable server. ICMP can also indicate that a specific port cannot be reached for TCP connections. This is useful for diagnosing connection problems.
ICMP is often only allowed on the LAN and blocked on the Internet. With the increasing use of cloud services, the Internet has become an extended LAN. Therefore, it is important to consider ICMP beyond the boundaries of the LAN. Blocking ICMP on the Internet can have a significant impact, as many basic functions rely on these packets.
ICMP: Benefits vs. Security
Blocking ICMP is often justified with an increased security risk. Like any protocol, ICMP has potential security risks, which we will discuss below. In the past, ICMP has been associated with high-profile security vulnerabilities, such as the “Ping of Death”. Some devices, such as Cisco routers and various printers, could be brought down by an ICMP ping of a certain packet size. However, this vulnerability has been fixed in modern systems and no longer poses a serious threat.
However, there are two other security aspects of ICMP in the network:
- 1
Identification of systems via a network map
It is often criticized that an attacker can use PING to find out very easily and quickly whether a system is responding behind an IP address. Similar information can be obtained by TCP syn attempts, but this claim is not necessarily disproved. However, there is a difference between doing this anonymously from the Internet and depriving yourself of an important internal diagnostic function by blocking ICMP.bt.
- 2
Potential DDoS attacks
ICMP packets can be used for DDoS attacks because their source addresses are not secured. Such an attack would be possible by an attacker sending many ICMP packets to other systems, which then all flood the spoofed address. However, ICMP already requires the attacker to use the same bandwidth as you, so ICMP packets are not the preferred choice for DDoS attacks.
To increase security, you can set restrictions on incoming ICMP packets from the Internet to your public addresses. Conversely, you need not worry if your firewall only allows responses to previous requests. Note, however, that the idea of achieving Security by Obscurity is not a sound protective measure. It is important that security measures are based on more than just hiding certain features or information.
ICMP and PING: Insight into Network Availability
Many administrators are unaware that a PING uses ICMP to check for availability on an IP network. When a PING command is executed, the device sends ICMP echo request messages to the destination IP address. If the destination host is available and has ICMP enabled, it responds with ICMP echo reply messages. Based on these replies, the sender of the PING command can determine whether the target host is reachable and how long it will take to send messages back and forth. This provides a reliable measure of round-trip time (RTT) and latency.
However, the measured time depends on the response time of the remote peer. For many routers, responding to an ICMP PING is not a high priority. A successful PING does not guarantee that the service on the server can be reached. For example, a firewall may block the desired UDP/TCP connection. Similarly, an unsuccessful PING is not an indication that the system does not exist. For example, the Microsoft Teams media relay servers no longer respond to PING.
It is also often overlooked that ICMP is used by products to determine a fast or nearby server. In particular, if a DNS query returns multiple IP addresses, a client can quickly PING them to select the endpoint that responded first. This is reachable and closest to the client in terms of the network. For this reason, Microsoft requires domain controllers to be reachable via ICMP ping (see https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts#active-directory).
ICMP and Traceroute: Initial values for the Provider
While a PING addresses exactly one system, a traceroute hides several PING packets with ascending time-to-live (TTL), which can be used to determine the path through the routers to the destination. This is not perfect, as packets can take different routes, limiting the accuracy. However, it is usually possible to get good initial values for the intermediate stations, such as the provider on a packet’s route..
There are providers that want to prevent this knowledge and the detection of problems, and therefore suppress ICMP replies. But not all of them do this, and often you can see the time to the router before the provider and the time to the router after the provider, which allows you to draw sufficient conclusions about the respective transit times. In addition, it can provide useful information about network performance by identifying the routers before and after blocking nodes.
ICMP and Firewall: Faster connections
For incoming connections, it is understandable that a firewall silently drops the packet. For outgoing connections, however, a firewall should definitely send an “ICMP not reachable” to the internal client. This is especially important for Microsoft Teams and other VoIP products that use an ICE handshake to determine the possible candidates for a connection.
Those that fail to send outgoing packets are penalized with longer connection times and errors are harder to find. For this reason, we also check the accessibility of the Team Media Relays via UDP and TCP in our network assessments with Rimscout, as they do not respond to PING. Here I was only able to check the router one station ahead with a PING.
Summary: Allow ICMP internally and to the Internet
For the functionality of network diagnostic or monitoring tools it is important that not only the configured endpoints can be reached via ICMP, but also that the path to them responds as seamlessly as possible to corresponding requests. The paths and latencies can be used not only to make statements about transmission performance and providers, but also to identify general correlations. It should not be attempted to allow only the remote peers, as the path cannot be determined in this case.
Finally, ICMP plays a crucial but often underestimated role in network communication. It is critical to the efficiency, stability, and diagnostics of networks. The blocking of ICMP, as well as its functions such as PING, traceroute, and firewall, illustrate its importance in network administration. A balanced understanding of ICMP is necessary to ensure both network performance and security.