Re: Removing ping/icmp from a network

[Ansgar -59cobalt- Wiechers <cobalt () planetcobalt net>]

Mike,

I think your mail was supposed to go to the list rather than me
personally, so I'll CC my reply to the list.

On 2008-04-01 Mike Preston - Technomonk Industries wrote:
> Ansgar -59cobalt- Wiechers wrote:
> > ICMP does not increase your exposure. That's plain and utter
> > nonsense. Either your hosts are epxosed or they're not. ICMP doesn't
> > change the least about this. Security by obscurity will not help and
> > is not a replacement for actual security. What is so hard to
> > understand about that?
>
> As a matter of interest, does anyone know of an ICMP exploits besides
> DoS? If there are none, then the whole problem is moot. As I
> understand it ICMP is an integral part of the TCP stack and as such
> the code will be there whether you block ICMP or not, so short of
> having a buggy TCP stack it shouldn't increase exposure much if at
> all.

Well, Ping of Death comes to mind, but that issue has been fixed ages
ago.

> Personally, I'd rather have my connection slow down because the far
> end told it to (source quench) than have a bottleneck cause lost
> packets and have to detect this. The packets still hit all the routers
> up to the drop point so this increases potential load for everyone.
> The DoS potential is still pretty small from this with the rise of the
> massive bot nets available to flood your connection.

Indeed.

Regards
Ansgar Wiechers
-- 
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."
--http://developer.apple.com/technotes/tn2004/tn2118.html