Educause Security Discussion mailing list archives
Re: ICMP blocking
From: David Gillett <gillettdavid () FHDA EDU>
Date: Wed, 6 Dec 2006 14:32:07 -0800
We allow what's needed for ping and traceroute to be useful [echo request, echo reply, unreachables, and TTL exceeded]. We don't generally allow hosts to ping things they aren't allowed to reach. We drop fragmented ICMP packets. For a while, we were seeing some exceptionally dimwitted DoS attempts that basically allocated a ~64KB buffer and tried to repeatedly send it as ICMP payload. We recently had a security evaluation done that found the ICMP "request timestamp" function was being permitted -- we've now blocked it. I'm not certain what the actual vulnerability is there, except perhaps to identify hosts that aren't using NTP and so are drifting out of sync. David Gillett
-----Original Message----- From: Gary Dobbins [mailto:dobbins () ND EDU] Sent: Wednesday, December 06, 2006 1:25 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] ICMP blocking Quick survey: Who's blocking ICMP subsets (like echo requests, traceroutes) at their borders? Who's not? Strong feelings about why in either case? Certainly, doing so is not a huge security gain, but the alternative means you're giving away the map anonymously. How polar is the community on this? Thanks. -- ------------------------------------------------------------ Gary Dobbins, CISSP -- Director, Information Security University of Notre Dame, Office of Information Technologies
Current thread:
- ICMP blocking Gary Dobbins (Dec 06)
- <Possible follow-ups>
- Re: ICMP blocking ken lindahl (Dec 06)
- Re: ICMP blocking Jeff Kell (Dec 06)
- Re: ICMP blocking Constantakos, William (Dec 06)
- Re: ICMP blocking Randy Marchany (Dec 06)
- Re: ICMP blocking David Gillett (Dec 06)
- Re: ICMP blocking John Ladwig (Dec 06)
- Re: ICMP blocking David Lundy (Dec 06)
- Re: ICMP blocking Gary Flynn (Dec 06)
- Re: ICMP blocking Ken Connelly (Dec 06)
- Re: ICMP blocking Russell Fulton (Dec 07)
- Re: ICMP blocking Joe St Sauver (Dec 07)