Re: ICMP blocking

[David Gillett <gillettdavid () FHDA EDU>]

  We allow what's needed for ping and traceroute to be useful
[echo request, echo reply, unreachables, and TTL exceeded].
We don't generally allow hosts to ping things they aren't allowed
to reach.
  We drop fragmented ICMP packets.  For a while, we were seeing
some exceptionally dimwitted DoS attempts that basically allocated
a ~64KB buffer and tried to repeatedly send it as ICMP payload.

  We recently had a security evaluation done that found the ICMP
"request timestamp" function was being permitted -- we've now blocked
it.  I'm not certain what the actual vulnerability is there, except
perhaps to identify hosts that aren't using NTP and so are drifting
out of sync.

David Gillett

> -----Original Message-----
> From: Gary Dobbins [mailto:dobbins () ND EDU]
> Sent: Wednesday, December 06, 2006 1:25 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] ICMP blocking
>
> Quick survey:  Who's blocking ICMP subsets (like echo requests,
> traceroutes) at their borders?  Who's not?  Strong feelings
> about why in either case?
>
> Certainly, doing so is not a huge security gain, but the
> alternative means you're giving away the map anonymously.
> How polar is the community on this?
>
> Thanks.
> --
>
>    ------------------------------------------------------------
>    Gary Dobbins, CISSP -- Director, Information Security
>    University of Notre Dame, Office of Information Technologies