Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


1204 posts

Uber Geek
+1 received by user: 247

Subscriber

Topic # 239324 12-Jul-2018 10:10
Send private message quote this post

In a recent post I was told ICMP / Pings / Tracert  packets were disabled by the ISP. I was told this is good practice.

 

iknow there are ways to attack ICMP, (e.g. SMURF) but if the ISP is routing those packets onto other servers, while disabling their servers from reposnding to the packets, are they not going to experience the same issues of DOS and data over load? Either they should disable ping packet routing (and not just reposnse) or enable the lot surely. Any thoughts?

 

 

There are many valid reasons for deprotization of ICMP, just as there are for no responding at all.

 

How it looks on tools such as pingplotter is a unfortunate side-affect however, even pingplotter supports alternative methods such as unix style (udp) pings that will preform differently.

 

 

@hio77

 

 





nunz

Create new topic
14117 posts

Uber Geek
+1 received by user: 2529

Trusted
Subscriber

  Reply # 2054821 12-Jul-2018 10:15
Send private message quote this post

There's plenty of good articles about this. One, two, three.





AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


'That VDSL Cat'
8484 posts

Uber Geek
+1 received by user: 1834

Trusted
Spark
Subscriber

  Reply # 2054822 12-Jul-2018 10:17
Send private message quote this post

As above, plenty of valid reasons.

 

 

 

other folk explained this in that thread who are far closer to the core than i too.





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


3296 posts

Uber Geek
+1 received by user: 1797

Trusted
Lifetime subscriber

  Reply # 2054971 12-Jul-2018 12:56
One person supports this post
Send private message quote this post

To me it's one of those "what's your favourite colour" questions.. There isn't a right answer..

 

With blocking ICMP there are reasons for and against it, I personally go with "allow it unless it's a very high security environment".





Information wants to be free. The Net interprets censorship as damage and routes around it.


'That VDSL Cat'
8484 posts

Uber Geek
+1 received by user: 1834

Trusted
Spark
Subscriber

  Reply # 2054974 12-Jul-2018 12:58
Send private message quote this post

Lias:

 

To me it's one of those "what's your favourite colour" questions.. There isn't a right answer..

 

With blocking ICMP there are reasons for and against it, I personally go with "allow it unless it's a very high security environment".

 

 

You missed the gold in that one!

 

It's like one of those "should you openly peer" questions.

 

 

 

That's one i'm glad i don't have a hand in managing.

 

So many reasons for, so many reasons against; it can be argued both ways depending on situation and usecase.





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


3296 posts

Uber Geek
+1 received by user: 1797

Trusted
Lifetime subscriber

  Reply # 2054978 12-Jul-2018 13:02
Send private message quote this post

hio77:

 

Lias:

 

To me it's one of those "what's your favourite colour" questions.. There isn't a right answer..

 

With blocking ICMP there are reasons for and against it, I personally go with "allow it unless it's a very high security environment".

 

 

You missed the gold in that one!

 

It's like one of those "should you openly peer" questions.

 

 

 

That's one i'm glad i don't have a hand in managing.

 

So many reasons for, so many reasons against; it can be argued both ways depending on situation and usecase.

 

 

nah only evil companies don't offer free peering :-P





Information wants to be free. The Net interprets censorship as damage and routes around it.




1204 posts

Uber Geek
+1 received by user: 247

Subscriber

  Reply # 2056456 15-Jul-2018 14:17
Send private message quote this post

hio77:

 

Lias:

 

To me it's one of those "what's your favourite colour" questions.. There isn't a right answer..

 

With blocking ICMP there are reasons for and against it, I personally go with "allow it unless it's a very high security environment".

 

 

You missed the gold in that one!

 

It's like one of those "should you openly peer" questions.

 

 

 

That's one i'm glad i don't have a hand in managing.

 

So many reasons for, so many reasons against; it can be argued both ways depending on situation and usecase.

 

 

Off the bat - google dns (8.8.8.8 and 8.8.4.4) respond.  If anything was liable to attack it is those two servers. You crack those and half the world is pwned by you. You DOS them and half the world has its systems crawl to a halt.  

 

How many routers and people use those settings?

 

If Google can do it for those two - surely TCom and others can let your router gateway, on their private network, do that.

 

 

 

 





nunz

'That VDSL Cat'
8484 posts

Uber Geek
+1 received by user: 1834

Trusted
Spark
Subscriber

  Reply # 2056457 15-Jul-2018 14:23
Send private message quote this post

nunz:

 

Off the bat - google dns (8.8.8.8 and 8.8.4.4) respond.  If anything was liable to attack it is those two servers. You crack those and half the world is pwned by you. You DOS them and half the world has its systems crawl to a halt.  

 

How many routers and people use those settings?

 

If Google can do it for those two - surely TCom and others can let your router gateway, on their private network, do that.

 

 

Those "two servers" are not two.

 

 

 

they may share the same ip, but it is Anycast, Just as anything google tend to do, is very much horizontally scaled, silently.

 

As noted above by many others, there is plenty of valid reasons for and against it.

 

 

 

Also, it's spark, not telecom.

 

they days when it was one big blob are far past.

 

 





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.




1204 posts

Uber Geek
+1 received by user: 247

Subscriber

  Reply # 2056470 15-Jul-2018 14:35
Send private message quote this post

timmmay:

 

There's plenty of good articles about this. One, two, three.

 

 

 

 

Thanks - am reading: However had to note that the first lines of "ICMP, The good, bad and ..." state: "the reasons why this (blocking) is not an effective security measure against any level of targeted attack, and side effects of blocking ICMP that break legitimate network functionality"

 

and link two: "...required by IPv6 to operate normally...."

 

 

 

That and the general consensus that it decreases network efficiency (by removing packet information and routing options) means it should be left running (but malicious packets filtered).

 

That's especially true of the fragmentation messages that tcp / ip cant work around leading to excessive packets being sent and never arriving.





nunz



1204 posts

Uber Geek
+1 received by user: 247

Subscriber

  Reply # 2056477 15-Jul-2018 14:53
Send private message quote this post

hio77:

 

nunz:

 

Off the bat - google dns (8.8.8.8 and 8.8.4.4) respond.  If anything was liable to attack it is those two servers. You crack those and half the world is pwned by you. You DOS them and half the world has its systems crawl to a halt.  

 

How many routers and people use those settings?

 

If Google can do it for those two - surely TCom and others can let your router gateway, on their private network, do that.

 

 

Those "two servers" are not two.

 

 

 

they may share the same ip, but it is Anycast, Just as anything google tend to do, is very much horizontally scaled, silently.

 

As noted above by many others, there is plenty of valid reasons for and against it.

 

 

 

Also, it's spark, not telecom.

 

they days when it was one big blob are far past.

 

 

 

 

Hi,

 

Was aware it is a distributed system - but it must still be prone to attack.

 

Are you saying TCom don't run servers which may or may not respond to icmp? :b

 

 





nunz

'That VDSL Cat'
8484 posts

Uber Geek
+1 received by user: 1834

Trusted
Spark
Subscriber

  Reply # 2056480 15-Jul-2018 15:06
One person supports this post
Send private message quote this post

nunz:

Hi,


Was aware it is a distributed system - but it must still be prone to attack.


Are you saying TCom don't run servers which may or may not respond to icmp? :b


 



Telecom don't run servers, they dont exist in this day.

Spark have plenty that respond to icmp. Simply not our borders.
This isn't a configuration that is likely to ever change.

I've worked with quite a few international data centers. This configuration was often. Common there too.

Your still comparing a dns sever to a border router.
Apple compared to bananas dude...


Honestly imo I'd prefer we just didn't waste the cycles on icmp; while it likely would be next to no difference, there isn't an actual usecase past pingplotter.

Ofwhich, pingplotter isn't a utility we use.

At this stage, I'm stepping out of this thread.
The policy won't be changed based off this thread, and even if it did that wouldn't be my call.

Our network folk that do feature on here are ammazing. They know what they are doing. They have a reason for everything, which might not always fit every customers needs.




#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


26959 posts

Uber Geek
+1 received by user: 6409

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 2056497 15-Jul-2018 16:09
Send private message quote this post

nunz:

 

hio77:

 

nunz:

 

Off the bat - google dns (8.8.8.8 and 8.8.4.4) respond.  If anything was liable to attack it is those two servers. You crack those and half the world is pwned by you. You DOS them and half the world has its systems crawl to a halt.  

 

How many routers and people use those settings?

 

If Google can do it for those two - surely TCom and others can let your router gateway, on their private network, do that.

 

 

Those "two servers" are not two.

 

 

 

they may share the same ip, but it is Anycast, Just as anything google tend to do, is very much horizontally scaled, silently.

 

As noted above by many others, there is plenty of valid reasons for and against it.

 

 

 

Also, it's spark, not telecom.

 

they days when it was one big blob are far past.

 

 

 

 

Hi,

 

Was aware it is a distributed system - but it must still be prone to attack.

 

Are you saying TCom don't run servers which may or may not respond to icmp? :b

 

 

 

 

Somebody attacking 8.8.8.8 or 8.8.4.4 would merely take down the local Google DNS node  - of which there would be hundred (if not thousands) of worldwide, and the affect could be as minimal as impacting Google DNS requests from a single RSP.

 

There are a myriad of reasons why ICMP is blocked or heavily deprioritised on core routers, and most of these are discussed in this thread. This is simply regarded as best practice by many, and nothing will change that.

 

 

 

 


3669 posts

Uber Geek
+1 received by user: 2196

Trusted
Spark NZ

  Reply # 2056550 15-Jul-2018 16:39
3 people support this post
Send private message quote this post

sbiddle:

 

[snip]

 

There are a myriad of reasons why ICMP is blocked or heavily deprioritised on core routers, and most of these are discussed in this thread. This is simply regarded as best practice by many, and nothing will change that.

 

 

To be fair, it's generally only regarded as best practice by those in the industry with experience of dealing with highly scaled networks or services. It just doesn't make sense to end users or those with experience in small business or even enterprise networks.

 

How often does a business or enterprise run out of CPU on a router (Unless it's doing DPI)? Basically never.

 

I race a cheap lotus 7 replica and it really frustrates me that the Formula 1 teams do some things that are clearly wrong. I think they should change what they do because based on what I know, some of their practices are just pointless or even hurt their performance.

 

Cheers - N

 

 


Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.