Security Basics mailing list archives
Re: Removing ping/icmp from a network
From: "Mark Owen" <mr.markowen () gmail com>
Date: Sat, 5 Apr 2008 12:17:38 -0500
The discussion here has mostly revolved around blocking ICMP to web hosts and why it is/not a good idea, but what really has not been mentioned is how. Usually admins who are set on doing so will block it at either the router or firewall level, not the host. This can create additional problems, including limiting access to your host. If you block all of ICMP, you block not just the echo reply requests but the errors as well. This can create a problem known as a "black hole connection". Wikipedia: "Many 'security' devices incorrectly block all ICMP messages, including the errors that are necessary for PMTUD to work. This can result in connections that complete the TCP three-way handshake correctly, but then hang when data is transferred. This state is referred to as a "black hole connection"." http://en.wikipedia.org/wiki/PMTU ICMP is necessary for Internet traffic and blocking it can lead to problems that are not easily resolvable. Ironically, Microsoft advises not to block ICMP traffic in a router and to replace the router if you cannot configure it to.
From KB:314825 "How to Troubleshoot Black Hole Router Issues" under
"Fixing or Working Around a Black Hole Router" "Configure intermediate routers to send ICMP Type 3 Code 4 messages ("destination unreachable, don't fragment (DF) bit sent and fragmentation required"). This might require a router software or firmware upgrade, router reconfiguration, or router replacement." -- Mark Owen
Current thread:
- Re: Removing ping/icmp from a network Jason (Apr 01)
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Apr 04)
- Re: Removing ping/icmp from a network Jason (Apr 07)
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Apr 07)
- Re: Removing ping/icmp from a network Jason (Apr 07)
- Re: Removing ping/icmp from a network Jason (Apr 07)
- Re: Removing ping/icmp from a network Mark Owen (Apr 07)
- Re: Removing ping/icmp from a network Jason (Apr 07)
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Apr 04)
- <Possible follow-ups>
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Apr 01)
- Re: Removing ping/icmp from a network Mike Preston - Technomonk Industries (Apr 01)
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Apr 01)
- Re: Removing ping/icmp from a network krymson (Apr 02)