mailing list archives
Re: Removing ping/icmp from a network
From: Jason <securitux () gmail com>
Date: Mon, 7 Apr 2008 11:27:10 -0400
Yes, I'd have to agree that blocking ALL ICMP is not the best idea on
the Internet side at least to the edge router / demarc. And yes, I
have yet to run into someone blocking on the host end, it's usually a
router / firewall doing the blocking.
On Sat, Apr 5, 2008 at 1:17 PM, Mark Owen <mr.markowen () gmail com> wrote:
The discussion here has mostly revolved around blocking ICMP to web
hosts and why it is/not a good idea, but what really has not been
mentioned is how. Usually admins who are set on doing so will block
it at either the router or firewall level, not the host. This can
create additional problems, including limiting access to your host.
If you block all of ICMP, you block not just the echo reply requests
but the errors as well. This can create a problem known as a "black
"Many 'security' devices incorrectly block all ICMP messages,
including the errors that are necessary for PMTUD to work. This can
result in connections that complete the TCP three-way handshake
correctly, but then hang when data is transferred. This state is
referred to as a "black hole connection"."
ICMP is necessary for Internet traffic and blocking it can lead to
problems that are not easily resolvable.
Ironically, Microsoft advises not to block ICMP traffic in a router
and to replace the router if you cannot configure it to.
From KB:314825 "How to Troubleshoot Black Hole Router Issues" under
"Fixing or Working Around a Black Hole Router"
"Configure intermediate routers to send ICMP Type 3 Code 4 messages
("destination unreachable, don't fragment (DF) bit sent and
fragmentation required"). This might require a router software or
firmware upgrade, router reconfiguration, or router replacement."