What is the Internet Control Message Protocol (ICMP)?
Internet Control Message Protocol (ICMP) is a protocol used by networks to communicate problems with data transmission. In this definition of ICMP, one of the main ways ICMP is used is to determine whether the data reaches its destination and at the right time. This makes ICMP an essential part of the error reporting and testing process to see how well the network transmits data. However, it can also be used to perform distributed DDoS attacks.
The way ICMP works in network communication is similar to the communication between a carpenter building a house and a home improvement store. The store sends studs, floorboards, roofing materials, installation, etc., assuming each party arrives and is neat.
For example, when a carpenter started building a wall, he applied for 28 2×4, 10 pounds of nails, and a door. It would help if you got the pins first, the 2x4s second, and the door last. The home improvement store sends them that way, but the door comes first. This won’t work because you can’t hang the door without having a wall first. So the carpenter asks the shop to resend the nails and 2x4s, the store reports them, telling the driver to take a different route.
ICMP acts as a link between the carpenter and the shop. Forwards messages from the recipient to the sender about the data that was to be received. If the information does not reach the recipient or is received incorrectly, ICMP lets the sender know that the data is not irritated. In this way, ICMP is just a way to transfer data about data, but it does not manage the information itself.
Also, it does not have its standard within the Open Systems Interconnection (OSI) model, which describes the seven layers involved in network transmission. Understanding ICMP can help you see why it is such an important tool, but it is essential to understand how ICMP can be used in a DDoS attack that could threaten an organization.
What is ICMP used for?
The primary purpose of ICMP is to report an error. When two devices are connected to the Internet, ICMP creates sharing errors with the sending device if any data does not reach its intended destination. For example, if the data packet is too large for the router, the router will discard the package and send the ICMP message back to the original data source.
The second use of the ICMP protocol is to perform network diagnoses; The most widely used traceroute and ping services both use ICMP. The use of traceroute is used to show the route between two Internet devices. The route is a realistic route for connected routers where the application must pass before reaching its destination. Trips between one track and another are known as ‘hop,’ the tracker track also reports the time required for each hop on the way. This can be useful in determining the sources of network delays.
The use of ping is a simplified version of the traceroute. The ping will check the connection speed between the two devices and accurately report how long it takes the data packet to reach its destination and return to the sender device. Although ping does not provide data about routes or hops, it is still helpful for measuring latency between two devices. ICMP echo-request and echo-reply messages are widely used for ping purposes.
Unfortunately, network attacks can use this process, creating disruptive mechanisms such as ICMP flooding and death ping attacks.
How does ICMP work?
Unlike Internet Protocol (IP), ICMP is not associated with a transaction layer protocol like TCP or UDP. This makes ICMP a non-connecting protocol: one device does not need to open a connection to another device before sending an ICMP message. Regular IP traffic is transmitted using TCP, meaning that any two data exchange devices will first perform TCP handshakes to ensure that both devices are ready to receive data. ICMP does not open to open this way. ICMP protocol also does not allow direct port control of the device.
ICMP differs from Internet Protocol (IP) version 6 or IPv6 in that it is not associated with Transmission Control Protocol (TCP) or User Datagram Protocol (UDP). Because of this, there is no need for a device to connect to another before sending an ICMP message.
For example, in TCP, two pre-connected devices engage in a handshake that takes a few steps. After the handshake is completed, the data can be transferred from the sender to the recipient. This information can be viewed using a tool such as tcpdump.
ICMP is different, No connection built. The message is quickly sent. And, unlike TCP and UDP, which control the ports to which information is transmitted. There is nothing in the ICMP message that points to a specific port on the device that it will receive.
How is ICMP used in DDoS attacks?
In DDoS attacks, ICMP is widely used in many ways: ICMP flooding, death ping attack, or Smurf attack.
In the event of an ICMP flood, the attacker tries to send multiple pings that the targeted device cannot handle all the packets of the ICMP echo application. Because each package requires processing and feedback, this drains device resources, preventing legitimate users from being fed by the device.
The fatal attack ping involves an attacker who sends a huge ping to a device that cannot handle pings of that size. The machine may crash or harden. The data package is split as it looks at the target, but it is put back together during the re-integration process. When it reaches the target, there is a buffer overload, which causes the device to malfunction. Ping attack death is dangerous for older machines within the network.
In a Smurf attack, the attacker transmits an ICMP packet with a sprayed or fraudulent IP address. When a network device responds, each response is sent to a corrupted IP address, and the target fills a ton of ICMP packets. This type of attack is also a problem for older machines only.