RE: ICMP (Ping)

[Tony Kava <securityfocus () pottcounty com>]

What about compliance with standards? ICMP echo is a useful diagnostic tool,
and not responding to ICMP echo is not an effective means of protecting
yourself.  I believe members of this list have often cited the lack of value
found in 'security by obscurity'.  I do not wish to suggest that allowing
all types of ICMP traffic is a safe practice, but ICMP echoes should be
accepted and replies should be sent unless you have blocked them in order to
mitigate a denial of service attack or because you believe the source of the
request is malicious in nature.

== RFC 1122 snippet ==

3.2.2.6  Echo Request/Reply: RFC-792
 
Every host MUST implement an ICMP Echo server function that
receives Echo Requests and sends corresponding Echo Replies.
A host SHOULD also implement an application-layer interface
for sending an Echo Request and receiving an Echo Reply, for
diagnostic purposes.
 
An ICMP Echo Request destined to an IP broadcast or IP
multicast address MAY be silently discarded.

== end of snippet ==

Just my two cents, as it were.

--
Tony Kava
Network Administrator
Pottawattamie County, Iowa



-----Original Message-----
From: freeasabird_13 () gmx net [mailto:freeasabird_13 () gmx net]
Sent: Tuesday, 02 September, 2003 21:12
To: Paul Kurczaba; security-basics () securityfocus com
Subject: Re: ICMP (Ping)


> Are there any security issues for allowing a firewall/router to respond to
> Ping from the internet?
>
> -Paul Kurczaba

Yes.  It would not be preferable for you to allow your firewall/router to
respond to pings from the internet.  Someone running a wide-scale scan of
internet computers for possible attack targets would quickly be made aware
of your obvious internet presence and you could become a target for attack.
This wouldn't be such a big problem provided your firewall/router was
well-configured with security in mind.  If there is no overwhelming reason
for allowing your device to respond to pings then it shouldn't be configured
to do so.  It is simply calling too much attention to your systems and their
possible vulnerabilities.  Well anyway, that's my quick 2 cents on the
matter.  I'm sure others will share theirs too.

Best Wishes,

~Nathaniel Hasenfus


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.515 / Virus Database: 313 - Release Date: 9/1/2003


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September
6.Visit us: www.blackhat.com
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------