Firewall Wizards mailing list archives
Re: ICMP Packets.
From: "Don Kendrick" <dkendrick () mindspring com>
Date: Tue, 2 Jun 1998 17:06:49 -0400
Please see below for my reasoning...you may disagree, but here it is.... -----Original Message----- From: Perry E. Metzger <perry () piermont com> To: Don Kendrick <dkendrick () mindspring com> Cc: perry () piermont com <perry () piermont com>; Toddb <toddb () pacifier com>; firewall-wizards () nfr net <firewall-wizards () nfr net> Date: Tuesday, June 02, 1998 4:01 PM Subject: Re: ICMP Packets.
"Don Kendrick" writes:Agreed on the Path MTU stuff in theory thought it really depends what
kind
of traffic is going between the internal and external nets. For one, I'd rather deny ICMP and suffer some on performance.Do you understand the actual consequences here? Someone trying to contact you is going to jack up their Path MTU and NOT get an ICMP message back, so their packets to you are going to go into space because they get frag'ed for really *loooong* periods of time until blackhole detection kicks in. Is that REALLY what you want for your network? Detecting the problem is going to be a bitch, too.
Here's where the physical comes into play...as I said, it depends what kind of traffic and how it's set up. If someone tries to crank up their Path MTU I'm fairly confident that some place before it hits my external router, some router somewhere in the path is going to have a lower MTU then what I can handle. I'm expecting that those routers will have (and should have) ICMP...these routers I think of as the "public Internet"...ISP and backbones.
If you filter ICMPs, you're also setting yourself up as an ideal network to have its IP addresses forged in someone's SYN flood attack on an innocent third party. No "Unreachable" messages means the poor victim is going to have to keep state for god knows how long while replying to a nonexistant host/port on your LAN. You are guaranteed to provide the bad guys with lots of fun.
Agreed, but how many of the SYN attack prevention patches use the "Unreachables" to reset. Not trying to be smart...just asking, I really don't know. It also goes to the point of how many IP addresses you advertise to the world and whether you own those IP addresses or they are are the ISP's. In my first post, I talked about the standard config of an external router connected point to point to the ISP's router. Can't that ISP's router provide the "unreachables" for the whole address space except for that very small subnet of addresses that I advertise to the world?
I've never understood why blocking ICMP was going to make you more secure in the first place. Lots of ICMP information is very valuable in making protocols run smoothly. Sure, some of it can be dangerous if it is misused, like redirects, but you should know what you are doing, not blindly block the whole protocol.
My main reason for doing it over a year ago was that I did not want anyone mapping my external network as well as redirects. But it also has been helpful in blocking some of these more recent attacks as well. I run ICMP internally and also think it should be run externally, I just don't think they should be mixed.
Perry
My two cents....it has worked for me but then again I agree with Henry's post on the topic...you have to do what's right for you in your situation. Don
Current thread:
- Re: ICMP Packets., (continued)
- Re: ICMP Packets. Don Kendrick (Jun 02)
- Re: ICMP Packets. Perry E. Metzger (Jun 02)
- Re: ICMP Packets. Alec Muffett - SunLabs (Jun 02)
- Re: ICMP Packets. James R Grinter (Jun 02)
- Re: ICMP Packets. Henry Hertz Hobbit (Jun 03)
- Re: ICMP Packets. Don Kendrick (Jun 02)
- Re: ICMP Packets. Perry E. Metzger (Jun 02)
- Re: ICMP Packets. Perry E. Metzger (Jun 03)
- Re: ICMP Packets. Bennett Todd (Jun 04)
- Re: ICMP Packets. Paul D. Robertson (Jun 05)
- Re: ICMP Packets. Don Kendrick (Jun 02)
- Re: ICMP Packets. Perry E. Metzger (Jun 03)
- Re: ICMP Packets. matthew green (Jun 04)
- Re: ICMP Packets. Bennett Todd (Jun 04)
- Re: ICMP Packets. Darren Reed (Jun 05)
- Re: ICMP Packets. tqbf (Jun 07)
- Re: ICMP Packets. Darren Reed (Jun 07)
- Re: ICMP Packets. blast (Jun 08)
- Re: ICMP Packets. Aleph One (Jun 09)
- Re: ICMP Packets. Perry E. Metzger (Jun 03)
- Re: ICMP Packets. Don Kendrick (Jun 02)
- Re: ICMP Packets. Ge' Weijers (Jun 05)
- Re: ICMP Packets. Bennett Todd (Jun 05)