On Wed, 2003-12-03 at 22:09, Jamie Reid wrote:
This was a problem when filtering Nachi while it pinged networks to their knees.
I think the problem was exasperated by the fact that some ISP's responded by blocking _all_ ICMP. Its bad enough that this killed their own ability to see if their hardware was up or down, it also amplified traffic as ICMP errors were no longer returned (due to retransmits and now being prime address space for spoofing).
Sometimes I wonder if there is any legitimate reason to allow pings from users at all.
This all comes down to the SLA. For home users, you can probably get away with it. For business level connections, "not knowing" and killing the service can have financial repercussions. Of course we're talking about addressing a symptom, not a problem. The "problem" is not ICMP Type 8's, the problem is systems that are unprotected and users that can't figure out when the box has been whacked. Personally, I was bummed that my all Linux/BSD network could not use Type 8's because my upstream was filtering them due to Windows boxes getting whacked with Nachi. A couple of other people mentioned rate limiting. That is probably the best option. Of course supporting it can drive up hardware costs.
If the user really needed to use ping, that is, if they were in a position to do anything about the results of the ping tests, then they would know enough to use traceroute in UDP mode or some other tool.
Could be UDP is blocked while type 8's are not. Could be they are on a Windows box which uses type 8's for tracing rather than UDP.
There are lots of other useful ICMP types to handle all the other ICMP needs, but ping seems to be something that was created for the convenience of a kind of user that is effectively extinct in todays Internet.
There are a *ton* of companies out there that monitor system up status via Type 8's over the Internet. I'm not saying its a good idea or that there are not other options. Just that it would break a ton of business models if it goes away.
ICMP echo is unique among ICMP types in that it is the only one that elicits it's own response.
What about subnet mask request? time stamp request? Information request? There are probably others as well.
There is nothing that echos do that SNMP (I know, I know) and traceroute don't accomplish in a more controlled fashion, no?
EEEK! SNMP opens up a point of accessing code running on the device. As for traceroute, if all I'm interested in is the endpoint, I've generated a ton of unnecessarily traffic. Given an average 15 hop distance between Internet hosts, that would be 90 traceroute packets to do the job, Vs. Ping only needing 2. Sure I can tweak the start and stop hop count (actually Windows does not let you set the min starting hop) to drop this quantity, but how many users are going to bother?
It would kill alot of DDoS attacks and render their zombie networks useless,
I seem to remember we said the same thing about killing Smurf amplifier networks. The black hats just changed tactics and started whacking a ton of hosts. Killing Type 8's will not cure "the problem", as the problem is totally capable of mutating into something that will still be effective (like SYN flooding). HTH, C