Educause Security Discussion mailing list archives

Re: ICMP blocking

From: "Constantakos, William" <wcon () CONNCOLL EDU>
Date: Wed, 6 Dec 2006 17:01:51 -0500

We only block inbound echo requests, anything else just makes maintenance/admin/troubleshooting painful.


William Constantakos, CCNA                    
Systems Administrator
Connecticut College
wcon () conncoll edu
860.439.2183



-----Original Message-----
From: ken lindahl [mailto:lindahl () BERKELEY EDU]
Sent: Wed 12/6/2006 4:37 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] ICMP blocking
 
Gary Dobbins wrote:

Quick survey:  Who's blocking ICMP subsets (like echo requests, 
traceroutes) at their borders?  Who's not?  Strong feelings about why in 
either case?


berkeley is not and feels strongly about it. ping and traceroute can be
extremely useful for troubleshooting basic network connectivity problems,
and can provide important information for understanding more complex
performance issues.

Certainly, doing so is not a huge security gain, but the alternative 
means you're giving away the map anonymously.


our map is posted on a web page. but we try to keep it out of date to
throw off the bad guys. ;-)

How polar is the community on this?


this community of one is extremely polar.

ken

Current thread:

ICMP blocking Gary Dobbins (Dec 06)
- <Possible follow-ups>
- Re: ICMP blocking ken lindahl (Dec 06)
- Re: ICMP blocking Jeff Kell (Dec 06)
- Re: ICMP blocking Constantakos, William (Dec 06)
- Re: ICMP blocking Randy Marchany (Dec 06)
- Re: ICMP blocking David Gillett (Dec 06)
- Re: ICMP blocking John Ladwig (Dec 06)
- Re: ICMP blocking David Lundy (Dec 06)
- Re: ICMP blocking Gary Flynn (Dec 06)
- Re: ICMP blocking Ken Connelly (Dec 06)
- Re: ICMP blocking Russell Fulton (Dec 07)
- Re: ICMP blocking Joe St Sauver (Dec 07)