[linux-security] Re: ICMP

[David Balazic <david balazic uni-mb si>]

Jonathan Benson wrote:
> 
> wulfman wrote:
> 
> > After the recent attacks on the major servers on the web my ISP has
> > decided to stop all ICMP messages from his ISP.
> >
> > I have red the RFCs and it seems that he cant do that... As a result
> > pings and traceroutes will not work.
> 
> Having ping's and traceroutes not working isn't all that horrible.
>  Stopping the destination unreachable (fragmentation need) ICMP message is
> as it will break MTU discovery.
> 
> To a network I want relatively secure I've blocked:
> echo-requests inbound (ping)
> time-exceeded outbound (traceroute)
> redirect inbound (could be nasty)

Consider this (true) scenario :
- I try to visit http://www.microsoft.com
 - doesn't work
- I ping www.microsoft.com
 - no reply , I think "Aha , it is dead" (*)
- after 1 hour I ping it again
 -  still no reply , "Well , they didn't fix it yet..." (*)
- after another hour I ping it again and guess what , still no reply
    my thoughts : "The admin at MS is incompetent!"
- the a colleague says that he is using the site for the last hour
 - I try it also and see the wonder, it works. I curse a random
    net-admin and go on with my life.

Need I say more ?

There is a reason that they "invented" ping !

> Everything else comes through.  I did the first two to stop people learning
> more then they need to about the network and the last to stop someone
> fooling a machine in to routing packets somewhere it shouldn't.
> 
> If anyone out there knows better then I and can suggest other things I
> should be blocking or give good reason why I shouldn't block some of these
> I'm always willing to learn more.

It seems a good idea to block inbound packet to your broadcast address.
And packets from outside that claim to come from an inside address.
It might be useful to put a maximum size limit on ping packets.

> Jon

David Balazic