Because ICMP can affect the operation of important system functions and obtain configuration information, hackers use ICMP messages while conducting reconnaissance on a network or in an active attack. As a result, a best practice is to block certain ICMP messages with an Access Control List (ACL) firewall, especially at border routers.

Diagnostic utilities, such as Ping and Tracert, require ICMP. As a result, a network administrator must decide what types of ICMP packets should be allowed on a network. When setting up your firewall, keep in mind the only essential ICMP traffic destination unreachable, along with the corresponding codes, which are type 3 for ICMP and type 1 for ICMPv6.

All other ICMP types are optional, depending on whether you would like to allow them on your network. Depending on your organization, some other types that are allowed may include the following:

• Type 8/0: Echo request/reply
• Type 11: Time exceeded 

ICMP helps to ensure that data gets delivered; however, it can be used in malicious ways. Therefore, you need to make sure that firewalls are properly tuned.