ICMP packets, what types to block?
- Thread starter jspeicher
- Start date
I don't like blocking any of them. I haven't found a good reason to do so yet. What class is this for?
Garion
Platinum Member
- Apr 23, 2001
- 2,331
- 7
- 81
Weeeel, that's a difficult one. I assume this is an INBOUND firewall rule, like one in front of a web server or load balancer. Outbound would be different.
ICMP can, inadvertently pass back more data than you want it to. Reading through the different ICMP packet types, there's actually a lot that I'd block and only a few that I'd allow.
Ones that I'd want to allow would be echo reply, echo, time exceeded, and traceroute. The destination unreachable is a good one, but it's the one that can send back more information that you might really want to send back, from a security perspective.
Decide what you want to let through, from a security and functionality perspective and only allow it. As a general rule, you ALWAYS block everything and permit only what you want through - Never, never the other way around.
- G
ICMP can, inadvertently pass back more data than you want it to. Reading through the different ICMP packet types, there's actually a lot that I'd block and only a few that I'd allow.
Ones that I'd want to allow would be echo reply, echo, time exceeded, and traceroute. The destination unreachable is a good one, but it's the one that can send back more information that you might really want to send back, from a security perspective.
Decide what you want to let through, from a security and functionality perspective and only allow it. As a general rule, you ALWAYS block everything and permit only what you want through - Never, never the other way around.
- G
yep, be very careful because blocking ICMP, especially time exceeded can break certain applications (specifically VPNs and tunneling)
I forget off the top of my head but there are ones that you should always allow, blocking all others. I do like the ability to ping though.
I forget off the top of my head but there are ones that you should always allow, blocking all others. I do like the ability to ping though.
So, what do you think about the question? Give us your answer and we can comment on that. We'll be nice.
Unreachables are used for PathMTU with VPN tunnels, so be careful about blocking that.
I dont block any of them inbound except echo, which I allow only to certain servers. The only real reason I block echo is because it is a trigger for many worms to start their infection process. Blocking echo doesnt do much good against a determined attacker..he'll likely figure out there is a system there anyhow.
Outbound I only allow echo, echo reply, unreachable, and time exceed.
A better option instead of blocking all ICMP might be to inspect the types you need to make sure it is legitimate for the type specified. Data can be encapsulated into an ICMP packet, and if you just make sure the ICMP packet conforms to RFC's then you should be ok.
Oh, and be careful about blocking fragmented echo's over VPN tunnels. MS Active Directory 2003 uses something like a 2500-byte ping to check the status of a host before pushing a group policy, since that wont fit in a single packet it has to be fragmented, and if you're blocking frag'd echos then you wont get group policies at the other end of the tunnel.
I dont block any of them inbound except echo, which I allow only to certain servers. The only real reason I block echo is because it is a trigger for many worms to start their infection process. Blocking echo doesnt do much good against a determined attacker..he'll likely figure out there is a system there anyhow.
Outbound I only allow echo, echo reply, unreachable, and time exceed.
A better option instead of blocking all ICMP might be to inspect the types you need to make sure it is legitimate for the type specified. Data can be encapsulated into an ICMP packet, and if you just make sure the ICMP packet conforms to RFC's then you should be ok.
Oh, and be careful about blocking fragmented echo's over VPN tunnels. MS Active Directory 2003 uses something like a 2500-byte ping to check the status of a host before pushing a group policy, since that wont fit in a single packet it has to be fragmented, and if you're blocking frag'd echos then you wont get group policies at the other end of the tunnel.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 22K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
News NVIDIA and Intel to Develop AI Infrastructure and Personal Computing Products- Started by poke01
- Replies: 411
-
Facebook
Twitter