ICMP in Modern IP Networks: Balancing Diagnostic Utility, Security Risk and Operational Efficiency

Authors

DOI:

https://doi.org/10.54361/ajmas.269702

Keywords:

ICMP, Network Security Path, MTU, Discovery Rate Limiting, IPv6

Abstract

Despite its crucial role in network diagnostics, error reporting, and Path MTU Discovery (PMTUD), the unauthenticated and trusting nature of the Internet Control Message Protocol (ICMP) makes it an ideal target for volumetric attacks, covert channels, and reconnaissance. Network administrators are left with a challenging decision: blocking all ICMP traffic will effectively close off the attack surface but disable PMTUD and traceroute, whereas allowing too much traffic exposes infrastructure to abuse. In this paper, we offer a systematic quantitative study into the balance between the usefulness of ICMP for diagnostics, associated security concerns, and operational overheads. Specifically, we introduce a policy framework for ICMP traffic that consists of a precise classification of ICMP message types, selective acceptance of necessary error messages, rate limiting of diagnostic probes (up to 5–10 pps/source), and rejection of outdated and risky message types. We conduct a series of experiments in a testbed under ICMP flood and reflection attacks to analyze three policy archetypes: balanced, blocking, and permissive. Our results show that the balanced policy ensures PMTUD success in 94% of cases and 91% completion rate of traceroute; at the same time, it limits the attack surface by 73% and throughput degradation by only 12% providing an effective balance between network functionality, security, and operational performance.

Downloads

Published

2026-07-02

How to Cite

1.
Abdalraheem Terfas, Nuredin Ahmed. ICMP in Modern IP Networks: Balancing Diagnostic Utility, Security Risk and Operational Efficiency. Alq J Med App Sci [Internet]. 2026 Jul. 2 [cited 2026 Jul. 5];:1845-52. Available from: https://journal.utripoli.edu.ly/index.php/Alqalam/article/view/1735