Personal view: This was a problem when filtering Nachi while it pinged networks to their knees. Sometimes I wonder if there is any legitimate reason to allow pings from users at all. If the user really needed to use ping, that is, if they were in a position to do anything about the results of the ping tests, then they would know enough to use traceroute in UDP mode or some other tool. There are lots of other useful ICMP types to handle all the other ICMP needs, but ping seems to be something that was created for the convenience of a kind of user that is effectively extinct in todays Internet. ICMP echo is unique among ICMP types in that it is the only one that elicits it's own response. What I mean by this is that source-quench, <foo>-unreachables, and others are all generated by hosts and routers in response to relatively stateful traffic. There is nothing that echos do that SNMP (I know, I know) and traceroute don't accomplish in a more controlled fashion, no? It would kill alot of DDoS attacks and render their zombie networks useless, retire legacy backdoors and viruses, up the ante for network management tools, and slow down some virus propagation substantially. ICMP echos are a bit of a hack and, quite literally, noise, and I wonder if it may be time to consider unofficially retiring them using filters. -- Jamie.Reid, CISSP, jamie.reid@mbs.gov.on.ca Senior Security Specialist, Information Protection Centre Corporate Security, MBS 416 327 2324
"Sean Donelan" <sean@donelan.com> 12/03/03 05:12pm >>>
You could drop ICMP packets at your firewall if the firewalls properly implemented stateful inspection of ICMP packets. The problem is few firewalls include ICMP responses in their statefull analysis. So you are left with two bad choices, permit "all" ICMP packets or deny "all" ICMP packets.