ICMP in Modern IP Networks: Balancing Diagnostic Utility, Security Risk and Operational Efficiency
DOI:
https://doi.org/10.54361/ajmas.269702Keywords:
ICMP, Network Security Path, MTU, Discovery Rate Limiting, IPv6Abstract
Despite its crucial role in network diagnostics, error reporting, and Path MTU Discovery (PMTUD), the unauthenticated and trusting nature of the Internet Control Message Protocol (ICMP) makes it an ideal target for volumetric attacks, covert channels, and reconnaissance. Network administrators are left with a challenging decision: blocking all ICMP traffic will effectively close off the attack surface but disable PMTUD and traceroute, whereas allowing too much traffic exposes infrastructure to abuse. In this paper, we offer a systematic quantitative study into the balance between the usefulness of ICMP for diagnostics, associated security concerns, and operational overheads. Specifically, we introduce a policy framework for ICMP traffic that consists of a precise classification of ICMP message types, selective acceptance of necessary error messages, rate limiting of diagnostic probes (up to 5–10 pps/source), and rejection of outdated and risky message types. We conduct a series of experiments in a testbed under ICMP flood and reflection attacks to analyze three policy archetypes: balanced, blocking, and permissive. Our results show that the balanced policy ensures PMTUD success in 94% of cases and 91% completion rate of traceroute; at the same time, it limits the attack surface by 73% and throughput degradation by only 12% providing an effective balance between network functionality, security, and operational performance.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2026 Abdalraheem Terfas, Nuredin Ahmed

This work is licensed under a Creative Commons Attribution 4.0 International License.











