ICMP Types You Should Monitor and Ones to Drop

The Internet Control Message Protocol (ICMP) is a fundamental part of the IP suite, providing diagnostic and control functions that are essential for network operations. Unlike TCP or UDP, ICMP is not designed for user-level data transport but rather for relaying error messages, operational information, and reachability notifications between network devices. While ICMP plays a crucial role in network visibility and troubleshooting, it can also be misused by attackers for reconnaissance, evasion, or denial-of-service activities. Therefore, understanding which ICMP message types are beneficial to monitor—and which should be restricted or dropped—is critical for maintaining a secure and well-functioning network.

One of the most universally used and monitored ICMP message types is Type 8, Echo Request, and its counterpart Type 0, Echo Reply. These form the basis of the widely used ping utility, which network administrators rely on to check host availability and measure round-trip latency. Monitoring these message types allows visibility into basic connectivity and performance issues. A sudden increase in echo requests or replies, especially from unusual sources or at high volumes, can indicate scanning activity or the early stages of a DDoS attack using ICMP floods. While echo requests are essential for diagnostics, rate-limiting them or restricting them to trusted sources can help mitigate abuse without eliminating their utility.

Another important category of ICMP messages to monitor includes the destination unreachable messages, specifically Type 3 with various code values. These messages inform a sender that its packet could not be delivered. Code 1, for instance, indicates host unreachable, while code 13 signifies communication administratively prohibited. Logging these messages can provide insight into routing failures, firewall policy enforcement, and misconfigured devices. For example, if many destination unreachable messages are observed from a specific host or network, it may suggest misrouting, expired routes, or a sudden failure in a particular segment. These messages are useful for debugging and should be allowed in controlled quantities to facilitate proper error reporting.

ICMP Type 11, Time Exceeded, is another message type that is valuable for diagnostics, particularly in relation to traceroute operations. When a packet’s TTL (Time to Live) value reaches zero en route to its destination, an ICMP Time Exceeded message is returned to the sender. This behavior is critical for path discovery and understanding the structure of the network. Monitoring Type 11 messages helps detect routing loops, excessive delays, or misconfigurations in forwarding paths. However, since these messages can also be triggered deliberately by malicious users attempting to map internal topologies, care must be taken to avoid exposing sensitive internal structures to untrusted sources.

Beyond these commonly monitored types, there are ICMP messages that can provide advanced insights. Type 4, Source Quench, historically indicated congestion and advised senders to reduce transmission rate. Although deprecated due to its ineffectiveness and potential for abuse, its presence in a network may indicate outdated equipment or misconfigurations. Type 5, Redirect, instructs a host to update its routing table based on better next-hop information. While this can aid dynamic path optimization, it poses a serious security risk if accepted without validation, as it can be used to redirect traffic through malicious intermediaries. These types should generally be blocked at the edge or between trust boundaries to prevent redirection attacks and obsolete behavior.

ICMP Router Advertisement (Type 9) and Router Solicitation (Type 10) messages are used in IPv6 and certain IPv4 environments to support router discovery. These messages play an important role in dynamic host configuration in stateless address autoconfiguration (SLAAC) environments. Monitoring these messages helps ensure that network clients are receiving valid routing information. However, if not properly secured, rogue advertisements can be used to hijack or manipulate client routing tables. Limiting these messages to trusted routers and segments is critical to maintaining network integrity.

Certain ICMP message types are commonly abused and should be dropped or heavily filtered, particularly in internet-facing interfaces or untrusted zones. For example, high volumes of Echo Request messages from spoofed addresses can be used in amplification or reflection attacks. Malformed or suspicious ICMP packets, including those with unusual Type/Code combinations or embedded data payloads, may be used in covert channels or scanning tools. Dropping or rate-limiting such traffic at perimeter firewalls, while preserving necessary diagnostic traffic internally, strikes a balance between usability and security.

Advanced persistent threats (APTs) have been known to use ICMP as a covert communication channel, exploiting its under-the-radar nature to exfiltrate data or control compromised hosts. By embedding payloads in ICMP messages, attackers can bypass traditional inspection mechanisms that focus on TCP and UDP. As a result, deep packet inspection and anomaly detection systems should be configured to inspect ICMP payloads where possible, flagging non-standard usage patterns or excessive message frequency.

In many networks, especially those employing segmentation and zero-trust principles, ICMP policies are tiered based on role and trust level. In a data center environment, for example, echo requests might be limited to monitoring systems, while destination unreachable messages are allowed only within infrastructure segments. Logging and monitoring of ICMP traffic at these boundaries can provide early indicators of misrouting, unauthorized access attempts, or configuration drift.

Ultimately, ICMP remains an indispensable protocol for network health and visibility, but its dual-use nature requires careful handling. By selectively monitoring essential message types like Echo, Destination Unreachable, and Time Exceeded—while filtering or dropping risky ones such as Redirects, Source Quench, and unsolicited Echo Replies—network operators can maintain robust operational awareness without exposing the infrastructure to unnecessary risk. Coupled with modern telemetry and security tooling, ICMP becomes not only a diagnostic tool but a valuable source of intelligence for maintaining a resilient and secure network.

The Internet Control Message Protocol (ICMP) is a fundamental part of the IP suite, providing diagnostic and control functions that are essential for network operations. Unlike TCP or UDP, ICMP is not designed for user-level data transport but rather for relaying error messages, operational information, and reachability notifications between network devices. While ICMP plays a…