An ICMP echo request is a small network message that one device sends to another to check whether it’s reachable and responsive. It’s the mechanism behind the “ping” command that network administrators and everyday users rely on to test internet connections. When you ping a website or IP address, your computer sends an ICMP echo request, and the destination sends back an echo reply. If the reply comes back, the connection is working. If it doesn’t, something along the path is broken.
How ICMP Fits Into Networking
ICMP stands for Internet Control Message Protocol. It’s a supporting protocol that sits alongside the more familiar ones used for web browsing and email. Its job isn’t to carry your data. Instead, it carries status messages: error notifications, diagnostic checks, and routing guidance between network devices. A router might use ICMP to tell your computer that a destination is unreachable, or that a packet took too long to arrive and was discarded.
The echo request is just one of many ICMP message types, but it’s by far the most recognized. Defined in RFC 792 (the original specification from 1981), the echo request is assigned Type 8 with a Code of 0. The corresponding echo reply is Type 0, Code 0. When a device receives a Type 8 message, it simply reverses the source and destination addresses, changes the type to 0, recalculates the checksum, and sends it back.
What Happens When You Ping Something
When you open a terminal and type something like ping google.com, your operating system constructs a small ICMP echo request packet and sends it to that address. The packet travels through routers and switches until it reaches the destination server. That server then generates an echo reply and sends it back along the return path.
Your computer measures the round-trip time in milliseconds, giving you a clear picture of latency. It also tracks how many replies come back versus how many were sent, which reveals packet loss. Most ping utilities send multiple requests in sequence, each with an incrementing sequence number so that responses can be matched to the correct request. If you see consistent replies with low round-trip times, the connection is healthy. Sporadic timeouts or high latency point to congestion, misconfiguration, or hardware problems somewhere along the route.
Inside the Packet
An ICMP echo request rides inside a standard IP packet. The IP header’s protocol field is set to 1, which tells every device along the path that this is an ICMP message. After the IP header comes the ICMP-specific portion, which contains several fields:
- Type: Set to 8 for an echo request.
- Code: Set to 0 (no further qualification needed).
- Checksum: A value calculated across the entire ICMP portion so the receiver can verify nothing was corrupted in transit.
- Identifier: A value that helps the sender match replies to the correct ping session, especially when multiple ping processes run simultaneously.
- Sequence Number: Increments with each successive echo request, so you can tell which reply corresponds to which request.
- Data: An optional payload, often filled with a simple pattern of bytes. The destination copies this data into its echo reply, which lets the sender verify that the payload survived the round trip intact.
IPv4 vs. IPv6 Differences
Everything described above applies to IPv4 networks. IPv6 uses a slightly different version called ICMPv6, defined in RFC 4443. The echo request in ICMPv6 uses Type 128 (instead of 8), and the echo reply uses Type 129 (instead of 0). The code remains 0 for both.
There are a couple of structural differences worth noting. IPv4 identifies ICMP traffic with protocol number 1 in the IP header, while IPv6 uses a “Next Header” value of 58. ICMPv6 also includes a pseudo-header in its checksum calculation, pulling in source and destination addresses from the IPv6 header. This makes the checksum more robust against certain types of corruption. From a user’s perspective, though, pinging over IPv6 works identically to IPv4.
Security Risks
Because ICMP echo requests are simple to generate and require no authentication, they’ve been exploited in several well-known attacks.
A ping flood (also called an ICMP flood) works by sending a massive volume of echo requests to a target, overwhelming its ability to process legitimate traffic. This is one of the easier denial-of-service attacks to launch, requiring little sophistication. A related technique, the Smurf attack, amplifies the flood by sending echo requests to a network’s broadcast address with the victim’s IP spoofed as the source. Every device on that network then sends its reply to the victim, multiplying the traffic. The Ping of Death, largely a historical concern, involved sending malformed or oversized ICMP packets that caused older systems to crash.
These risks have led many network administrators to block ICMP at their firewalls. While this does reduce the attack surface, it comes with real trade-offs.
What Happens When ICMP Is Blocked
Blocking ICMP echo requests stops ping from working, which removes a fundamental diagnostic tool. But the consequences go beyond losing the ability to ping a server. ICMP carries several other message types that networks depend on for smooth operation.
Path MTU Discovery is one of the most important. This mechanism figures out the largest packet size that can travel the full path between two devices without being fragmented. It relies on ICMP “destination unreachable” messages (Type 3, Code 4) to report when a packet exceeds the maximum size a link can handle. If those messages are blocked, devices may send packets that are too large, causing silent failures and mysterious connection problems, particularly with VPNs and certain websites that fail to load completely.
ICMP redirect messages help routers inform hosts about more efficient paths to a destination. Without them, traffic may take unnecessarily long routes, wasting bandwidth and increasing latency. Time-exceeded messages (Type 11) let the sender know when a packet’s time-to-live counter hits zero before reaching its destination. Blocking these breaks the traceroute utility entirely, since traceroute relies on those messages to map each hop along a network path.
The more targeted approach that many security professionals recommend is rate-limiting ICMP rather than blocking it outright. This allows diagnostic and routing functions to operate normally while preventing flood-based attacks from consuming meaningful resources.
Common Uses Beyond Basic Ping
While testing whether a host is alive is the most common use of echo requests, they serve several other practical purposes. Network monitoring systems send periodic pings to servers, routers, and services to detect outages automatically. If a device stops responding to echo requests, an alert fires. Latency monitoring over time can reveal degrading links before they fail completely.
Traceroute on Windows (using the tracert command) sends ICMP echo requests with progressively increasing time-to-live values. Each router along the path decrements the value by one and, when it hits zero, sends back a time-exceeded message. This maps out every hop between you and the destination, showing where delays or failures occur. Linux and macOS traceroute uses UDP by default but can be switched to ICMP mode for the same effect.
Internet service providers and content delivery networks also use echo requests internally to measure reachability and response times across their infrastructure, helping them route traffic through the fastest available paths.