On Thu, 2 Oct 2003, Stephen J. Wilcox wrote:
It does raise the question of whether ICMP Echo is a good mechanism for monitoring systems that are across third party networks.
I personally think that filtering ICMP is becoming less useful and you would get better results using other probe methods eg SYN/RST as deployed by numerous port scanning tools eg nmap
The problems of PING monitoring have been around for a long time. SRI-NIC.ARPA had to block PING in 1987 because so many sites kept pinging the NIC, it was causing problems. I recall, but can't find, in the old ARPANET a memo about the problem of people pinging the IMP gateways. The advantage of using PING is the site can block or rate-limit PING without effecting their "real" services. Using SYN/RST is a higher overhead probe, leaving the host with fewer alternatives when the "monitoring" packets causes problems with the other services. Most high visibility sites, like the Root Servers, Yahoo, Google, CNN, BBC, Whitehouse.Gov, etc are under almost constant "attack" from people monitoring their reachability. Almost no third-party monitors ask permission to engage in the constant pinging/monitoring of the sites. The Department of Defense used to report every PING or Traceroute attempt as an "attack" on their networks. It was great for generating huge numbers for Congress when asking for more money, but is it really a usefull measurement. PING is a useful tool. But if the target host blocks ping, it probably shouldn't be considered an invitation to "monitor" the site with more intrusive methods. On the other hand, if ISPs had zero tolorance policies and enforced every term of their AUP in every instance, virtually every network tool and network engineer would be considered network abuse.