The internet control message protocol (ICMP) operates at OSI Layer 3 (the network layer) to enable networking devices (such as routers) and administrators to detect, communicate, and diagnose network communication issues. ICMP primarily helps diagnose transmission problems by testing if packets reach their destination in a timely fashion. ICMP also helps identify routers that are active or faulty.
Accordingly, devices use ICMP to report communication errors — whether they stem from data packets arriving in a scrambled order, an unexpectedly long message, or complete connection failures. All of these issues prevent the sender and receiver from communicating effectively.
ICMP debuted in 1981, shortly after TCP was released and a decade before HTTP came into being. ICMP doesn't rely on these protocols to function, and instead works more like a standalone utility to keep networks running smoothly. ICMP packets tend to carry smaller payloads and the protocol itself does not guarantee message delivery like TCP does. It was initially defined under the RFC 792 specification and updated for IPv6 under RFC 4443.
How does the internet control message protocol (ICMP) work?
ICMP can help uncover efficiency issues across the network by assessing connection times and transmission rates. The ping function that many online gamers and network engineers alike are so familiar with leverages ICMP to measure response times (or latency) using echo requests. However, this "version" of ping differs from TCP ping or UDP ping since those alternatives simply ask for responses, and use a different underlying protocol.
If something goes wrong while routing a network packet — such as the host not being reachable or the time to live counter reaching zero — a returned ICMP status message will let the client know the fate of its packet.
One networking device using ICMP can send specialized packets to another device, request a reply called an echo reply, and hopefully receive that ICMP packet back. If there are problems sending and receiving ICMP packets, an engineer can use that information to guide further troubleshooting efforts with different network packet types.
ICMP has two main components:
An ICMP packet header, which contains the packet type, checksum, identifier, and any associated code. The header can also contain ICMP echo information — denoting whether or not requests and replies can reach their destinations.
An ICMP data section, which contains destination IP address details, numerical or alphanumeric error codes, and any causes of transmission issues. For example, the data section might include information on redirects, timeouts, parameter conflicts, or unreachable status updates.
An ICMP packet isn't overly large or complex. Plenty of external diagnostic and performance tools use ICMP to measure ping, for example, and any network engineer measuring reliability will be very familiar with ICMP. The straightforward nature of the protocol makes it relatively easy to work with.
ICMP security concerns
The mechanisms powering ICMP have also facilitated some DDoS attack methods. Much like bad actors have taken advantage of HTTP and UDP design weaknesses over the years, hackers have used ICMP to trigger flood attacks, ping-of-death attacks (overwhelming recipients during the packet reassembly stage), and smurf attacks based on IP snooping. However, those latter two methods are less popular now since they primarily impact aging networking equipment.
ICMP can also be used to quickly scan a large address range for hosts, in order to determine which IPs are active. This process sometimes uses heuristics on the response packet to get a rough idea which type of device it's coming from. Some organizations also configure firewalls to drop ICMP pings.
Does HAProxy support the internet control message protocol (ICMP)?
Yes! HAProxy ALOHA supports ICMP health checks by sending echo packets back and forth across the network. HAProxy ALOHA will continually ping the backend server to measure responsiveness and gauge reachability — promoting high availability.
To learn more about ICMP support in HAProxy, check out our ICMP health check documentation.