-
We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.
ICMP packets, what types to block?
- Thread starter jspeicher
- Start date
Garion
Platinum Member
Weeeel, that's a difficult one. I assume this is an INBOUND firewall rule, like one in front of a web server or load balancer. Outbound would be different.
ICMP can, inadvertently pass back more data than you want it to. Reading through the different ICMP packet types, there's actually a lot that I'd block and only a few that I'd allow.
Ones that I'd want to allow would be echo reply, echo, time exceeded, and traceroute. The destination unreachable is a good one, but it's the one that can send back more information that you might really want to send back, from a security perspective.
Decide what you want to let through, from a security and functionality perspective and only allow it. As a general rule, you ALWAYS block everything and permit only what you want through - Never, never the other way around.
- G
ICMP can, inadvertently pass back more data than you want it to. Reading through the different ICMP packet types, there's actually a lot that I'd block and only a few that I'd allow.
Ones that I'd want to allow would be echo reply, echo, time exceeded, and traceroute. The destination unreachable is a good one, but it's the one that can send back more information that you might really want to send back, from a security perspective.
Decide what you want to let through, from a security and functionality perspective and only allow it. As a general rule, you ALWAYS block everything and permit only what you want through - Never, never the other way around.
- G
Unreachables are used for PathMTU with VPN tunnels, so be careful about blocking that.
I dont block any of them inbound except echo, which I allow only to certain servers. The only real reason I block echo is because it is a trigger for many worms to start their infection process. Blocking echo doesnt do much good against a determined attacker..he'll likely figure out there is a system there anyhow.
Outbound I only allow echo, echo reply, unreachable, and time exceed.
A better option instead of blocking all ICMP might be to inspect the types you need to make sure it is legitimate for the type specified. Data can be encapsulated into an ICMP packet, and if you just make sure the ICMP packet conforms to RFC's then you should be ok.
Oh, and be careful about blocking fragmented echo's over VPN tunnels. MS Active Directory 2003 uses something like a 2500-byte ping to check the status of a host before pushing a group policy, since that wont fit in a single packet it has to be fragmented, and if you're blocking frag'd echos then you wont get group policies at the other end of the tunnel.
I dont block any of them inbound except echo, which I allow only to certain servers. The only real reason I block echo is because it is a trigger for many worms to start their infection process. Blocking echo doesnt do much good against a determined attacker..he'll likely figure out there is a system there anyhow.
Outbound I only allow echo, echo reply, unreachable, and time exceed.
A better option instead of blocking all ICMP might be to inspect the types you need to make sure it is legitimate for the type specified. Data can be encapsulated into an ICMP packet, and if you just make sure the ICMP packet conforms to RFC's then you should be ok.
Oh, and be careful about blocking fragmented echo's over VPN tunnels. MS Active Directory 2003 uses something like a 2500-byte ping to check the status of a host before pushing a group policy, since that wont fit in a single packet it has to be fragmented, and if you're blocking frag'd echos then you wont get group policies at the other end of the tunnel.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 25K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 24K
-
-
