Re: How to prevent system from replying to Ping (ICMP Echo) requests?

From: Copelandia Cyanescens (synesthesia_at_ix02x67invalid.net)
Date: 09/28/04


Date: Tue, 28 Sep 2004 01:21:08 +0000

Leythos wrote...

>> Why not drop POD and fragged packets likewise, rather than refusing all
>> email? :) Actually, that's pretty much the way such things are handled
>> now in most environments, where "pings" are typically allowed.
>
> It appears you are only looking at it from a residential user point of
> view. In most instances, blocking ICMP does not impact anything useful
> for most home users and blocking it doesn't break anything I know of for
> corporate users - at least not in any of the networks we designed.

Actually it was corporate users I had in the back of my mind when I
started the reply. I hesitated to say anything because I really didn't
care to deal with any "oh yeah prove it" posts, but a couple months ago
I was casual-reading a ML and glanced through a thread where a fairly
large corporation broke their "VPN" by disallowing echo requests. The
only thing that caught my attention was the capital 'ICMP' standing out
in the middle of a message body. All I really remember about it was some
software that sounded like Novas, or Norvas... something alone those
lines. Didn't really pay attention, and no I won't go back and look even
if it *were* easy. You'll just have to trust me. ;-)

>> And that doesn't even consider the possibility that some software may be
>> broken by dropping echo requests. P2P and VPN applications would seem

> P2P apps don't belong on most networks, and VPN's are not impacted by
> lack of ICMP. Just because traffic is in the spec/standards doesn't mean

Still, P2P on non gratis networks exist, and at least *some* "vpn-ish"
implementations will fail. I remember dealing with a beast called MAPICS
that demanded the ability to "ping" at regular intervals, although that
was many moons ago. And I know for a fact that a local hospital runs
some queer "Novel over TCP/IP" setup to do BC/BS billing that requires
the ability. Again, my experience was quite a number of years ago, but I
know they still operate the same today according to the guy they hired
to maintain the system I set up.

> I have to allow it on my network. Sure, it would be nice to ping my
> network from unknown locations, but, as I'm smarter than that, I set the
> network to only allow ICMP from specific locations and not from anywhere
> else.

That's fine. For you. :) And I'm not saying disallowing ICMP echo
traffic is the end of civilization as we know it. I'm merely trying to
point out that the benefits are minimal and often insignificant, that it
*is* contrary to RFC, and that it could cause problems in some
situations.

>> Tell that to an under cover police officer or a soldier wearing
>> camouflage. <grin>
>>
>>> nice to see people move on when they can't get a response from your
>>> IP's.
>>
>> I'll agree that the average inexperienced nmapper might be thwarted, but
>> is this guy really threat anyway unless you have other vulnerabilities?
>> And will it reliably thwart them to begin with?? Not meant as an insult
>> at all, but this would seem to be more of a personal satisfaction or
>> "vanity" reason than anything related to actual security.
>
> Ah, but to use your own Police analogy, why should I advertise that I
> have something you might want? If I can disable things that let you

As an under cover police officer you'd be pretty ineffective if the
crooks didn't even know you were there. <grin>

> easily detect me it's just another layer of not being a obvious target.
> This has nothing to do with Vanity, it's about protecting your network,
> the investment in millions of $ of servers and data, vanity doesn't play
> into it at all.

I see your point, and agree with you on most purely technical issues, I
just don't give them much weight in the real world. In a corporate
environment especially. Disallowing "pings" would seem to be meaningless
if you're a business entity. I'd assume an attacker would already know
you exist either by prior intent to target you specifically, or by
virtue of the fact that you have some other "service" available for them
to spot. The "stealth those pings" scenario would seem to really only
offer benefit to personal or very small entities, and even *then* it's
trivial to discover them without pinging.

>> I suppose there's valid arguments on both sides really, and the ultimate
>> choice depends on your basic "up bringing" and specific situation. I was
>> just raised to believe that crippling something to solve a problem that
>> isn't a real major concern to begin with is sorta "snake oily".
>
> And I was raised to do something right, not to half-do it. Securing a

There's "kill", and there's "overkill". If you don't "half-do" security
or resource selection to begin with there's really no benefit at all to
"hiding". And trying to hide in the first place is a specious
proposition.

> You don't have to like security methods, you don't have to like people
> that lock down networks to protect their systems, but you don't have to
> knock people that secure their networks. I've seen pings bring down

Who's knocking? I'm expressing an alternative opinion and offering at
least some anecdotal evidence to support it. If you're offended I'm
sorry, it wasn't my intent.

> entire process control systems, cause fires at plants because a PLC was
> taken off-line due to a ping, seen network switches taken down because
> of pings... This is why we block them.

If you have some specific need to manage given traffic then of course
you have to deal with it. That's a no brainer. I've seen a half million
dollar Toyoda horizontal CNC mill get whacked by a tech who pinged it
across the network trying to get some goofy "Esprit" P-code generator
working too... or rather I saw the aftermath and had to take over in a
pinch because they wouldn't let the tech near it again and they were
loosing about $80K and hour in down time (so the said). But as a general
rule of thumb those cases won't apply. For the vast majority of the
world ICMP echo traffic is about as bothersome as a cool breeze on a
windy day... irrelevant. The BadStuff(tm) can be managed other ways. And
it *is* a cross section of that vast majority we generally address in
forums like this. ;)

-- 
Don't worry about it. It's nothing. 
  -- U.S. Navy Lt. Tyler, Dec. 7, 1941, upon being informed that 
  radar had just picked a large formation of planes heading for 
  Pearl Harbor, Hawaii.


Relevant Pages

  • Re: Removing ping/icmp from a network
    ... A ping sweep isn't the only way to do network exploration. ... ICMP is a protocol, not a service. ... Security by design is always best, but hiding the presence of a device ...
    (Security-Basics)
  • RE: ICMP (Ping)
    ... To go straight to running a vuln scan against a box that isn't up ... Not seemingly from all the replies that I have seen. ... dictates that most do that and that is why many people block pings. ... - Precisely Define and Implement Network Security ...
    (Security-Basics)
  • Re: Removing ping/icmp from a network
    ... You can limit ICMP. ... And I did say, as well as others, allow from trusted sources. ... the network and the answer is: ... servers I do allow some ICMP messages to/from ...
    (Security-Basics)
  • Re: NLB Cluster - Ping fails or long time to reply from outside local subnet
    ... Using Network Monitor I see the pings being received and replies being sent ... Windows Server 2008 Readiness Team ... administered address is being set correctly on the cluster adapter. ...
    (microsoft.public.windows.server.clustering)
  • Re: 192.168.x.x oddities
    ... When I went to the server to see if I could connect to a share on the ... I run a small network at home, using a wireless router to connect to a ... and unrouteable on the Internet. ... Am I therefore correct in my assumption that the ISP is routing my pings ...
    (Security-Basics)