Security Basics mailing list archives
Re: Removing ping/icmp from a network
From: Ansgar -59cobalt- Wiechers <cobalt () planetcobalt net>
Date: Tue, 1 Apr 2008 14:27:38 +0200
Mike, I think your mail was supposed to go to the list rather than me personally, so I'll CC my reply to the list. On 2008-04-01 Mike Preston - Technomonk Industries wrote:
Ansgar -59cobalt- Wiechers wrote:ICMP does not increase your exposure. That's plain and utter nonsense. Either your hosts are epxosed or they're not. ICMP doesn't change the least about this. Security by obscurity will not help and is not a replacement for actual security. What is so hard to understand about that?As a matter of interest, does anyone know of an ICMP exploits besides DoS? If there are none, then the whole problem is moot. As I understand it ICMP is an integral part of the TCP stack and as such the code will be there whether you block ICMP or not, so short of having a buggy TCP stack it shouldn't increase exposure much if at all.
Well, Ping of Death comes to mind, but that issue has been fixed ages ago.
Personally, I'd rather have my connection slow down because the far end told it to (source quench) than have a bottleneck cause lost packets and have to detect this. The packets still hit all the routers up to the drop point so this increases potential load for everyone. The DoS potential is still pretty small from this with the rise of the massive bot nets available to flood your connection.
Indeed. Regards Ansgar Wiechers -- "The Mac OS X kernel should never panic because, when it does, it seriously inconveniences the user." --http://developer.apple.com/technotes/tn2004/tn2118.html
Current thread:
- Re: Removing ping/icmp from a network Jason (Apr 01)
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Apr 04)
- Re: Removing ping/icmp from a network Jason (Apr 07)
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Apr 07)
- Re: Removing ping/icmp from a network Jason (Apr 07)
- Re: Removing ping/icmp from a network Jason (Apr 07)
- Re: Removing ping/icmp from a network Mark Owen (Apr 07)
- Re: Removing ping/icmp from a network Jason (Apr 07)
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Apr 04)
- <Possible follow-ups>
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Apr 01)
- Re: Removing ping/icmp from a network Mike Preston - Technomonk Industries (Apr 01)
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Apr 01)
- Re: Removing ping/icmp from a network krymson (Apr 02)