What is ICMP?

The Internet Control Message Protocol (ICMP) is a set of communication rules that devices use to communicate data transmission errors in a network. In a message exchange between the sender and receiver, certain unexpected errors can occur. For example, messages can be too long, or data packets can arrive out of order so the receiver can’t assemble them. In such cases, the receiver uses ICMP to inform the sender with an error message and requests the message be resent.

What are ICMP use cases?

The Internet Control Message Protocol (ICMP) is an important network layer protocol in computer networking. It provides a standardized mechanism for network devices to communicate vital information like connectivity and network status. All devices connected to the network, including routers and endpoint devices, can process ICMP messages. ICMP has been adapted to work with both IPv4 and IPv6.

Read about computer networking »

Next, we discuss some common ICMP use cases.

Error reporting

ICMP error messages report networking errors—such as unreachable destinations, timeouts, or fragmentation problems. The messages are especially important for User Datagram Protocol (UDP), which has a connectionless communications model.

UDP does not provide reliable, ordered delivery of packets. When a UDP packet is sent, it’s possible that the packet may be lost, or it may be delivered with faults such as checksum errors. If this happens, the receiver sends ICMP error reporting messages back to the sender to notify it of the problem.


You can use ICMP for network diagnostics. It’s most commonly used for ping and traceroute commands.

The ping command tests the reachability of network devices by sending ICMP echo request packets to a target device. If the device is reachable, it returns an ICMP echo reply. It reliably checks network latency and ensures the device is available.

The traceroute command traces the path taken by packets from a source to a destination. To do this, the command sends echo request and echo reply messages to the intended destination.

Echo requests contain a time-to-live (TTL) value, which decreases by one each time the packet passes through a router. When a packet reaches a router with a TTL of zero, the router sends an ICMP message back to the source.

The message contains information about the route taken by the packet. Traceroute reveals the exact path of a packet, which can provide you with network performance insights.

Network security

You can use ICMP to detect unauthorized network traffic and permit only legitimate traffic over a network. Firewalls use ICMP to allow or block certain types of traffic. Network administrators also use ICMP monitoring tools to track the status and connectivity of network devices and detect unknown devices.

You can also use it to spot unusual traffic patterns that may indicate unauthorized activity.

How does ICMP work?

The Internet Control Message Protocol (ICMP) usually works alongside other network protocols like TCP/IP or User Datagram Protocol (UDP). Hosts and routers exchange ICMP messages or ICMP packets when certain network events occur.

An ICMP packet comprises an ICMP packet header and an ICMP data section.

ICMP packet header

The ICMP header contains information about the packet type, its code, the checksum, and an identifier. When ICMP packets are sent, the message receiver reads the header information. Based on the type of packet, it takes appropriate action.

For example, if the type is an echo request, the receiver sends an echo reply with the same data. If the type is a destination unreachable, the receiver replies with a destination unreachable message.

ICMP data section

The data section in an ICMP message includes information such as the destination's IP address or the failure's cause. It also contains error codes or numerical codes that identify the errors.

Here are some examples:

  • A destination unreachable (Type 3) code indicates that the receiver device does not exist on the network
  • A redirect (Type 5) code sends a message to another router indicating a better route to the destination
  • Echo request and echo reply (Types 8 and 10) codes test connectivity between devices
  • A time exceeded message shows a packet has exceeded its maximum time to reach a destination
  • A Parameter Problem message indicates when a router encounters an issue with an IP field header
  • A Source Quench message is sent when a router experiences congestion and needs to limit the number of packets it receives

What is the difference between ICMP and TCP?

TCP is a connection-oriented protocol for reliable, error-checked data delivery. It’s commonly used for web browsing, email, remote login, and file transfer applications. TCP requires handshaking, a series of messages that establish trust and authentication between sender and receiver. TCP guarantees message delivery. 

In contrast, The Internet Control Message Protocol (ICMP) is a connectionless protocol. It does not guarantee message delivery. As ICMP is only used for error reporting, the ICMP messages are also smaller than TCP packets.

ICMP and TCP are used in conjunction to establish why a TCP delivery failed.

What are ICMP ping floods?

Internet Control Message Protocol (ICMP) ping floods are denial of service (DoS) events where unauthorized users send multiple ICMP echo requests in a short period. Each ICMP request contains a unique identifier and data payload that requires the receiver to respond uniquely. The receiving server attempts to respond to each unauthorized request, which delays or slows responses to authorized sources. 

To protect against an ICMP ping flood, you should ensure your network’s devices are configured to limit the amount of ICMP traffic they’re willing to accept. It’s also important to monitor your network for unauthorized activity and to apply necessary security measures, such as firewalls and intrusion detection systems (IDS).

How can AWS strengthen protection from DDoS events?

Amazon Web Services (AWS) offers AWS Shield to help you better protect against distributed denial of service (DDoS) events.

AWS Shield is a managed DDoS protection service that safeguards applications running on AWS. It provides dynamic detection and automatic inline mitigations that minimize application downtime and latency. AWS Shield includes automated mitigation techniques to protect against all types of network security events.

You benefit from many features with AWS Shield:

  • Automatic scrubbing of unauthorized traffic at specific layers
  • Minimization of application downtime and latency
  • Monitoring and protection of up to 1,000 resource types
  • Tailored detection based on application traffic patterns

Get started with DDoS protection by creating an account today.

Next Steps on AWS

Check out additional product-related resources
Check out Content Delivery Services 
Sign up for a free account

Instant get access to the AWS Free Tier.

Sign up 
Start building in the console

Get started building in the AWS management console.

Sign in