Skip to content
Vol. 1 · Ed. 2026
CyberGlossary
Entry № 568

ICMP

Reviewed byCybersecurity entrepreneur & security researcher

What is ICMP?

ICMPA network-layer control and diagnostics protocol (RFC 792 for IPv4, RFC 4443 for IPv6) used by hosts and routers to report errors and signal path conditions.


The Internet Control Message Protocol is an integral part of IP, defined in RFC 792 for IPv4 and RFC 4443 for IPv6. Routers and end hosts use it to send error messages (destination unreachable, time exceeded, fragmentation needed) and diagnostic queries (echo request/reply, used by ping and traceroute). ICMP rides directly over IP with protocol number 1 (or 58 for ICMPv6) and has no ports.

It is essential for Path MTU Discovery (RFC 1191) and IPv6 Neighbor Discovery, so blanket-blocking ICMP commonly creates "PMTU black holes" where large packets vanish silently. Historic abuses are well documented: the Smurf attack (CERT advisory CA-1998-01) spoofed a victim's address as the source of echo requests sent to a broadcast address, amplifying the flood; the Ping of Death crashed late-1990s TCP/IP stacks with reassembled echo packets exceeding 65,535 bytes; and the Loki tool (Phrack issues 49 and 51, 1996-97) pioneered ICMP tunneling, hiding a covert shell in echo payloads. ICMP redirect messages can also be forged to poison a host's routing table.

Defences include rate-limiting ICMP rather than dropping it, permitting types 3 and 4 plus all mandatory ICMPv6 Neighbor Discovery messages (RFC 4890 guidance), ignoring ICMP redirects on hardened hosts, and inspecting echo payloads in NDR/EDR for tunneling.

flowchart LR
  A[Host: ping] -->|Echo Request type 8| R[Router]
  R --> B[Target host]
  B -->|Echo Reply type 0| A
  R -.->|Time Exceeded type 11| A
  R -.->|Dest Unreachable type 3| A
  X[Attacker] -.->|Forged Redirect type 5| A

Examples

  1. 01

    ping example.com sends ICMP echo requests and measures the time to receive echo replies.

  2. 02

    A router returns ICMP type 3 code 4 to signal that fragmentation is needed but DF is set.

Frequently asked questions

What is ICMP?

A network-layer control and diagnostics protocol (RFC 792 for IPv4, RFC 4443 for IPv6) used by hosts and routers to report errors and signal path conditions. It belongs to the Network Security category of cybersecurity.

What does ICMP mean?

A network-layer control and diagnostics protocol (RFC 792 for IPv4, RFC 4443 for IPv6) used by hosts and routers to report errors and signal path conditions.

How do you defend against ICMP?

Defences for ICMP typically combine technical controls and operational practices, as detailed in the full definition above.

What are other names for ICMP?

Common alternative names include: Internet Control Message Protocol.

Related terms

See also