...and should it be checked as "accept any incoming" in my firewall settings?
Tia for any info.
Gary
Tia for any info.
Gary
What is ICMP?...
- Thread starter algae
- Start date
ICMP is the protocol that PING uses (many other protocol messaging functions as well).....
Usually, you DO NOT want ICMP anything from external unknown sources.
FWIW
Scott
Usually, you DO NOT want ICMP anything from external unknown sources.
FWIW
Scott
<< ICMP is the protocol that PING uses (many other protocol messaging functions as well).....
Usually, you DO NOT want ICMP anything from external unknown sources.
FWIW
Scott >>
I read a couple of sources that mentioned that you should not block all icmp packets. Source quench may be a bad one to block if you are serving anything.
ICMP messages range on what they do from time out messages to host not reachable messages.
There are some messages you shouldn't filter out unless you know the concequences and can deal with them..
Some including the ICMP Can't Fragment Error , ICMP destination unreachable (Trade off here is UDP scans work but then you do get a port closed instead of timing out)
Some of the messages you should block from leaving your firewall out to the wild wild web are icmp address mask requests (ICMP_MASKREQ,
type 17), This permits an attacker to learn toplogical information about an internal network
(ICMP_ECHO) or Ping is another one you should restict to certain machines on your network.
Here is some more information on RFC 1122 and its take on ICMP and the various messages Link
Here is a site on Path MTU Discovery and talks about the Fragmentation ICMP message Link
This is just the tip of the iceburg but the main thing you should learn is that ICMP is pretty complicated and is very tightly weaved into the TCP transport model.
Enjoy
There are some messages you shouldn't filter out unless you know the concequences and can deal with them..
Some including the ICMP Can't Fragment Error , ICMP destination unreachable (Trade off here is UDP scans work but then you do get a port closed instead of timing out)
Some of the messages you should block from leaving your firewall out to the wild wild web are icmp address mask requests (ICMP_MASKREQ,
type 17), This permits an attacker to learn toplogical information about an internal network
(ICMP_ECHO) or Ping is another one you should restict to certain machines on your network.
Here is some more information on RFC 1122 and its take on ICMP and the various messages Link
Here is a site on Path MTU Discovery and talks about the Fragmentation ICMP message Link
This is just the tip of the iceburg but the main thing you should learn is that ICMP is pretty complicated and is very tightly weaved into the TCP transport model.
Enjoy
well you shouldn't block all ICMP, otherwise your going to run into problems when playing online games.
I have TPF firewall set up, and i have the following icmp rules:
outgoing- echo reply, destination unreachable, echo request
incoming- echo reply, time exceeded, *echo request
You could remove *echo request from incoming, if you don't want anyone pinging your ip. Also, never have destination unreachable incoming, otherwise your prone to ping floods.
I have TPF firewall set up, and i have the following icmp rules:
outgoing- echo reply, destination unreachable, echo request
incoming- echo reply, time exceeded, *echo request
You could remove *echo request from incoming, if you don't want anyone pinging your ip. Also, never have destination unreachable incoming, otherwise your prone to ping floods.
<< well you shouldn't block all ICMP, otherwise your going to run into problems when playing online games.I have TPF firewall set up, and i have the following icmp rules
utgoing- echo reply, destination unreachable, echo requestincoming- echo reply, time exceeded, *echo requestYou could remove *echo request from incoming, if you don't want anyone pinging your ip. Also, never have destination unreachable incoming, otherwise your prone to ping floods. >>Unless you have control of the routers at the beginning of your line (isp's side of your connection) you will always be affected by ping floods. Your pipe is only so big.
Are there any sources for best practices regarding ICMP in a secure environment?
I just block all ICMP in-bound and out-bound. I didn't think any IP stacks around today even listened to source-quench messages? don't know for sure though.
I just block all ICMP in-bound and out-bound. I didn't think any IP stacks around today even listened to source-quench messages? don't know for sure though.
<< Are there any sources for best practices regarding ICMP in a secure environment?I just block all ICMP in-bound and out-bound. I didn't think any IP stacks around today even listened to source-quench messages? don't know for sure though. >>
Source quench can also be another way to mess with connections in a bad way. I think it is still in use, but I dont know how much it would really affect anyone.
I'm guessing the only real ICMP messages of value are the unreachables -- network, host, port.
So block everything but those? I'll try to find some information on best practice.
So block everything but those? I'll try to find some information on best practice.
Source Quench is much like FECN BECN bits but for TCP transmissions.
I too do not know if this is even in use today since you hardly hear anything about it. According to ICMP standards a Source Quench should be sent for every packet dropped or if a gateway or switch is running out of buffer space.
I don't remember seeing this in any tech specs to say if Source Quench is implemented and from what I know in expereience unless I listen to FECN BECN bits via traffic shaping im going to push myself over the edge without a parachute.
Here is an interesting blurb I found on Cisco's site to further show how some of the vendors are thinking about Source Quench..
Q. When does a Cisco router generate a source quench?
A. Prior to Cisco IOS ® Software Releases 11.3 and 12.0, a Cisco router generates a source quench only if it does not have the buffer space needed to queue the packet. If the router can't queue the routed packet onto the output interface's queue, it generates a source quench and registers an output drop against the output interface. If the router isn't congested, it won't generate a source quench.
You can look at the show ip traffic command output for source quenches sent. Also look at show interface to see if there are any drops. If there are none, then you shouldn't see any source quench.
Cisco IOS ® Software Releases 11.3 and 12.0 don't include the source quench feature.
More IANA ICMP Type and Code information that might help some people out.. I know it has me
Link
I too do not know if this is even in use today since you hardly hear anything about it. According to ICMP standards a Source Quench should be sent for every packet dropped or if a gateway or switch is running out of buffer space.
I don't remember seeing this in any tech specs to say if Source Quench is implemented and from what I know in expereience unless I listen to FECN BECN bits via traffic shaping im going to push myself over the edge without a parachute.
Here is an interesting blurb I found on Cisco's site to further show how some of the vendors are thinking about Source Quench..
Q. When does a Cisco router generate a source quench?
A. Prior to Cisco IOS ® Software Releases 11.3 and 12.0, a Cisco router generates a source quench only if it does not have the buffer space needed to queue the packet. If the router can't queue the routed packet onto the output interface's queue, it generates a source quench and registers an output drop against the output interface. If the router isn't congested, it won't generate a source quench.
You can look at the show ip traffic command output for source quenches sent. Also look at show interface to see if there are any drops. If there are none, then you shouldn't see any source quench.
Cisco IOS ® Software Releases 11.3 and 12.0 don't include the source quench feature.
More IANA ICMP Type and Code information that might help some people out.. I know it has me
Link
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 23K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
Facebook
Twitter