🛡️ Which ICMP Message Types Should Be Blocked Inbound?
Last updated: 2025
Quick Summary (TL;DR)
- ICMP is essential for network communication, but some message types can be abused.
- Inbound ICMP should not be fully blocked—only risky or unnecessary types.
- Echo Requests, Redirects, Source Quench, and Timestamp messages are usually blocked inbound.
- Destination Unreachable and Time Exceeded must be allowed for proper network functionality.
Introduction
The Internet Control Message Protocol (ICMP) is a core component of how IP networks operate.
It is responsible for delivering error messages and operational information between network devices.
Without ICMP, basic tools like ping and traceroute would not work.
However, ICMP has also been historically abused by attackers for reconnaissance, denial-of-service attacks, and covert data exfiltration. For this reason, many administrators ask an important security question: Which ICMP message types should be blocked inbound without breaking the network?
This guide provides a clear, practical, and security-focused answer—especially for beginners and intermediate network administrators.
Understanding ICMP
ICMP operates at the network layer of the OSI model and is mainly used by routers and hosts to communicate errors and status information. Unlike TCP or UDP, ICMP is not used to transmit application data.
Common ICMP-based utilities include:
ping– tests reachabilitytraceroute– maps the path packets take
ICMP Message Structure
Each ICMP message contains:
- Type – identifies the message category
- Code – provides additional context
- Checksum – verifies integrity
- Payload – depends on message type
Common ICMP Message Types
| Type | Code | Description |
|---|---|---|
| 0 | 0 | Echo Reply |
| 3 | 0–15 | Destination Unreachable |
| 4 | 0 | Source Quench (Deprecated) |
| 5 | 0–3 | Redirect |
| 8 | 0 | Echo Request |
| 11 | 0–1 | Time Exceeded |
| 13 | 0 | Timestamp Request |
| 14 | 0 | Timestamp Reply |
Security Risks Associated with ICMP
- Reconnaissance: Attackers discover live hosts using ICMP Echo Requests.
- DoS attacks: ICMP floods and Smurf attacks overwhelm systems.
- ICMP tunneling: Data exfiltration hidden inside ICMP packets.
- Redirect abuse: Malicious routing manipulation.
ICMP Message Types to Block Inbound
1. Echo Request (Type 8)
Used by ping. Blocking inbound Echo Requests reduces reconnaissance and network mapping.
2. Redirect (Type 5)
ICMP Redirects can alter routing paths and are rarely needed in secure environments.
3. Source Quench (Type 4)
Deprecated and no longer used. Safe to block completely.
4. Timestamp Request & Reply (Types 13 & 14)
Rarely used today and can leak system timing information.
ICMP Message Types to Allow Inbound
1. Destination Unreachable (Type 3)
Critical for Path MTU Discovery and proper error handling.
2. Time Exceeded (Type 11)
Required for traceroute and detecting routing loops.
Implementing ICMP Filtering with iptables
iptables -A INPUT -p icmp --icmp-type 8 -j DROP
iptables -A INPUT -p icmp --icmp-type 5 -j DROP
iptables -A INPUT -p icmp --icmp-type 4 -j DROP
iptables -A INPUT -p icmp --icmp-type 13 -j DROP
iptables -A INPUT -p icmp --icmp-type 14 -j DROP
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
Rate Limiting ICMP Instead of Blocking
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/s --limit-burst 5 -j ACCEPT
Real-World Example: Smurf Attack
A Smurf attack floods a victim by abusing ICMP Echo Requests sent to broadcast addresses.
Mitigation
- Disable ICMP broadcast responses
- Apply ingress filtering
- Rate-limit ICMP traffic
Conclusion
Blocking ICMP entirely is a mistake. A secure approach focuses on blocking only unnecessary or dangerous ICMP message types while allowing those required for network stability.
By applying selective filtering and rate limiting, organizations can significantly reduce attack surface without breaking essential diagnostics and communication.
