R: Removing ping/icmp from a network

I let icmp flowing into internal network, but usually don't like to let outside ping my published servers.

A user could blame on "cannot open web page", but I expect an average network troubleshooter don't rely on ping on internet:
after all, I find LOTS of routers in my path to remote sites which drop traceroutes.

Everyone in between is either a script kiddie, or somebody just playing around with ping sweep/basic portscan.


I use icmp on internet just to check whether my ISP has problems going out (as it happens quite frequently :( ),
thus stopping after the 4th-5th hop.

Idserve (from www.grc.com) is out there, and at worst, you can make some sort of "tcp ping" (e.g. a telnet on port 80).

Ivan

-----Messaggio originale-----
Da: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] Per conto di Mark Owen
Inviato: giovedì 27 marzo 2008 18.09
A: Jason
Cc: Ansgar -59cobalt- Wiechers; security-basics@xxxxxxxxxxxxxxxxx
Oggetto: Re: Removing ping/icmp from a network

On Thu, Mar 27, 2008 at 12:25 PM, Jason <securitux@xxxxxxxxx> wrote:
*snip*
The idea is to limit your Internet footprint to make it as difficult
as possible for an attacker. There is no need for a web server to
respond to ping from the Internet for example.

It is very critical that your web server responds to ICMP on the Internet. If you go out of the way and ignore essential protocols for IP over a public network, you're just going to create a headache for all of us.

Without ICMP, it is very difficult for us to determine where a problem exists when our clients complain about slow load times or inaccessibility to your website. No ICMP means no basic trace routing, no basic latency checks, and no basic error reporting. So even if the problem is somewhere in our infrastructure that limits or prevents access to your site, you're going to get the blame and bad reputation of an unstable server. If it doesn't respond to ping, and can't be traced, its not our fault that our client can't access your site, it's yours.

--
Mark Owen

Relevant Pages

  • Re: Outgoing POP3 email missing/lost/not received
    ... ISP's mail server instead of the domain name on the ... SUMMARY OF SETTINGS FOR CONFIGURE E-MAIL AND INTERNET ... Internet Connection Wizard. ... After the wizard completes, the following network connection ...
    (microsoft.public.windows.server.sbs)
  • Re: Connect the SBS to a remote IIS for Internet Printing
    ... the server can access the Internet with no problems at all. ... Checking network connection, and after a few seconds it says The ... the problem is cause by the configuration of ISA. ...
    (microsoft.public.windows.server.sbs)
  • Re: RDP can not logon error
    ... Tracert & Ping to dc on the same subnet as the server that is having trouble. ... No network provider accepted the given network path.. ... Starting test: CrossRefValidation ...
    (microsoft.public.windows.server.general)
  • Re: ISA 2006 Basic Configuration
    ... Why would we point Preferred DNS to itself? ... Configuring the Internal Network Interface ... In the Internet Protocol Properties dialog box, ... Select the Use the following DNS server addresses option. ...
    (microsoft.public.isa.configuration)
  • Re: One computer on 2 networks
    ... On the server take the new "internet Nic" and set it up properly for the ... Create a static route in the OS's routing table that uses the LAN Router ... don't work in the Network Admin Dept. I'm a developer. ...
    (microsoft.public.windows.server.networking)