ICMP can be used as an effective scanning tool as it can determine a great deal of information about a network. Malicious actors use various techniques to scan a network for vulnerable hosts. Using ICMP can determine which hosts are alive and responding:
A ping sweep, or ping scan, uses a series of ICMP echo request packets on a local area network to see what hosts are alive and responding. Once a responding host is identified, the hacker will send more advanced probes to obtain additional information.
Along with using a series of echo requests/replies, there are several ICMP queries that malicious actors can use to scout information before launching an attack. For example, in the following screenshot, an ICMP timestamp request is sent in the hope of getting a reply to help the software rule out different OSes:
As you can see, ICMP can be used to obtain information about a network and hosts. As a result, it's best to be aware of the various types and only allow ICMP packets that are absolutely necessary, as we'll see in the next section.