Home page logo
/

basics logo Security Basics mailing list archives

Re: Removing ping/icmp from a network
From: Jason <securitux () gmail com>
Date: Mon, 7 Apr 2008 11:27:10 -0400

Yes, I'd have to agree that blocking ALL ICMP is not the best idea on
the Internet side at least to the edge router / demarc. And yes, I
have yet to run into someone blocking on the host end, it's usually a
router / firewall doing the blocking.

-J

On Sat, Apr 5, 2008 at 1:17 PM, Mark Owen <mr.markowen () gmail com> wrote:
The discussion here has mostly revolved around blocking ICMP to web
 hosts and why it is/not a good idea, but what really has not been
 mentioned is how.  Usually admins who are set on doing so will block
 it at either the router or firewall level, not the host.  This can
 create additional problems, including limiting access to your host.

 If you block all of ICMP, you block not just the echo reply requests
 but the errors as well.  This can create a problem known as a "black
 hole connection".

 Wikipedia:

"Many 'security' devices incorrectly block all ICMP messages,
 including the errors that are necessary for PMTUD to work. This can
 result in connections that complete the TCP three-way handshake
 correctly, but then hang when data is transferred. This state is
 referred to as a "black hole connection"."
 http://en.wikipedia.org/wiki/PMTU

 ICMP is necessary for Internet traffic and blocking it can lead to
 problems that are not easily resolvable.
 Ironically, Microsoft advises not to block ICMP traffic in a router
 and to replace the router if you cannot configure it to.

 From KB:314825 "How to Troubleshoot Black Hole Router Issues" under
 "Fixing or Working Around a Black Hole Router"
 "Configure intermediate routers to send ICMP Type 3 Code 4 messages
 ("destination unreachable, don't fragment (DF) bit sent and
 fragmentation required"). This might require a router software or
 firmware upgrade, router reconfiguration, or router replacement."


 --
 Mark Owen



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]