Re: Removing ping/icmp from a network

Yes, I'd have to agree that blocking ALL ICMP is not the best idea on
the Internet side at least to the edge router / demarc. And yes, I
have yet to run into someone blocking on the host end, it's usually a
router / firewall doing the blocking.

-J

On Sat, Apr 5, 2008 at 1:17 PM, Mark Owen <mr.markowen@xxxxxxxxx> wrote:
The discussion here has mostly revolved around blocking ICMP to web
hosts and why it is/not a good idea, but what really has not been
mentioned is how. Usually admins who are set on doing so will block
it at either the router or firewall level, not the host. This can
create additional problems, including limiting access to your host.

If you block all of ICMP, you block not just the echo reply requests
but the errors as well. This can create a problem known as a "black
hole connection".

Wikipedia:

"Many 'security' devices incorrectly block all ICMP messages,
including the errors that are necessary for PMTUD to work. This can
result in connections that complete the TCP three-way handshake
correctly, but then hang when data is transferred. This state is
referred to as a "black hole connection"."
http://en.wikipedia.org/wiki/PMTU

ICMP is necessary for Internet traffic and blocking it can lead to
problems that are not easily resolvable.
Ironically, Microsoft advises not to block ICMP traffic in a router
and to replace the router if you cannot configure it to.

From KB:314825 "How to Troubleshoot Black Hole Router Issues" under
"Fixing or Working Around a Black Hole Router"
"Configure intermediate routers to send ICMP Type 3 Code 4 messages
("destination unreachable, don't fragment (DF) bit sent and
fragmentation required"). This might require a router software or
firmware upgrade, router reconfiguration, or router replacement."


--
Mark Owen


Relevant Pages

  • Re: How do I stop my PC from returning a "Ping"?
    ... to send out packets and retrieve the incoming replies as well. ... I would bet that he is behind a router, the router is getting the IP ... The router probably can be set up to disable ICMP ... >> Hmmm, but "ping of death" attacks could be pretty major, should they ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Removing ping/icmp from a network
    ... The discussion here has mostly revolved around blocking ICMP to web ... including limiting access to your host. ... If you block all of ICMP, you block not just the echo reply requests ... Microsoft advises not to block ICMP traffic in a router ...
    (Security-Basics)
  • Re: Help - Tried almost everything!
    ... In the previous message I gave you a link to Google, ... I've spent hours searching ... > still have no answer why the ICMP still goes out every ... >>>>Hosts send ICMP Router Solicitation messages to the all ...
    (microsoft.public.security)
  • Re: icmp werden ignoriert
    ... Router und *Computer* können zwar für das Beachten des DF Bits konfiguriert ... RFC-konform konfigurierte Router waren/sind eine der ersten Instanzen, ... von ICMP DoS Attacks überflutet wurden. ...
    (microsoft.public.de.security.netzwerk.sicherheit)
  • Dinosaurs wont route
    ... very simple routing tasks -- a local LAN and a gateway router, ... Ethernet0 is up, line protocol is up ... ICMP unreachables are always sent ... IP fast switching on the same interface is disabled ...
    (comp.dcom.sys.cisco)