Disabling ICMP / Pings. Why? Good or Bad

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Disabling ICMP / Pings. Why? Good or Bad

nunz

1421 posts

Uber Geek
Inactive user

#239324 12-Jul-2018 10:10

In a recent post I was told ICMP / Pings / Tracert packets were disabled by the ISP. I was told this is good practice.

iknow there are ways to attack ICMP, (e.g. SMURF) but if the ISP is routing those packets onto other servers, while disabling their servers from reposnding to the packets, are they not going to experience the same issues of DOS and data over load? Either they should disable ping packet routing (and not just reposnse) or enable the lot surely. Any thoughts?

There are many valid reasons for deprotization of ICMP, just as there are for no responding at all.

How it looks on tools such as pingplotter is a unfortunate side-affect however, even pingplotter supports alternative methods such as unix style (udp) pings that will preform differently.

@hio77

timmmay

20591 posts

Uber Geek

Trusted

Lifetime subscriber

#2054821 12-Jul-2018 10:15

There's plenty of good articles about this. One, two, three.

hio77

12999 posts

Uber Geek

ID Verified

Trusted

Lizard Networks

#2054822 12-Jul-2018 10:17

As above, plenty of valid reasons.

other folk explained this in that thread who are far closer to the core than i too.

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

Lias

5590 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2054971 12-Jul-2018 12:56

To me it's one of those "what's your favourite colour" questions.. There isn't a right answer..

With blocking ICMP there are reasons for and against it, I personally go with "allow it unless it's a very high security environment".

I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup.

hio77

12999 posts

Uber Geek

ID Verified

Trusted

Lizard Networks

#2054974 12-Jul-2018 12:58

Lias:

To me it's one of those "what's your favourite colour" questions.. There isn't a right answer..

With blocking ICMP there are reasons for and against it, I personally go with "allow it unless it's a very high security environment".

You missed the gold in that one!

It's like one of those "should you openly peer" questions.

That's one i'm glad i don't have a hand in managing.

So many reasons for, so many reasons against; it can be argued both ways depending on situation and usecase.

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

Lias

5590 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2054978 12-Jul-2018 13:02

hio77:

Lias:

To me it's one of those "what's your favourite colour" questions.. There isn't a right answer..

With blocking ICMP there are reasons for and against it, I personally go with "allow it unless it's a very high security environment".

You missed the gold in that one!

It's like one of those "should you openly peer" questions.

That's one i'm glad i don't have a hand in managing.

So many reasons for, so many reasons against; it can be argued both ways depending on situation and usecase.

nah only evil companies don't offer free peering :-P

nunz

1421 posts

Uber Geek
Inactive user

#2056456 15-Jul-2018 14:17

hio77:

Lias:

To me it's one of those "what's your favourite colour" questions.. There isn't a right answer..

With blocking ICMP there are reasons for and against it, I personally go with "allow it unless it's a very high security environment".

You missed the gold in that one!

It's like one of those "should you openly peer" questions.

That's one i'm glad i don't have a hand in managing.

So many reasons for, so many reasons against; it can be argued both ways depending on situation and usecase.

Off the bat - google dns (8.8.8.8 and 8.8.4.4) respond. If anything was liable to attack it is those two servers. You crack those and half the world is pwned by you. You DOS them and half the world has its systems crawl to a halt.

How many routers and people use those settings?

If Google can do it for those two - surely TCom and others can let your router gateway, on their private network, do that.

hio77

12999 posts

Uber Geek

ID Verified

Trusted

Lizard Networks

#2056457 15-Jul-2018 14:23

nunz:

Off the bat - google dns (8.8.8.8 and 8.8.4.4) respond. If anything was liable to attack it is those two servers. You crack those and half the world is pwned by you. You DOS them and half the world has its systems crawl to a halt.

How many routers and people use those settings?

If Google can do it for those two - surely TCom and others can let your router gateway, on their private network, do that.

Those "two servers" are not two.

they may share the same ip, but it is Anycast, Just as anything google tend to do, is very much horizontally scaled, silently.

As noted above by many others, there is plenty of valid reasons for and against it.

Also, it's spark, not telecom.

they days when it was one big blob are far past.

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

nunz

1421 posts

Uber Geek
Inactive user

#2056470 15-Jul-2018 14:35

timmmay:

There's plenty of good articles about this. One, two, three.

Thanks - am reading: However had to note that the first lines of "ICMP, The good, bad and ..." state: "the reasons why this (blocking) is not an effective security measure against any level of targeted attack, and side effects of blocking ICMP that break legitimate network functionality"

and link two: "...required by IPv6 to operate normally...."

That and the general consensus that it decreases network efficiency (by removing packet information and routing options) means it should be left running (but malicious packets filtered).

That's especially true of the fragmentation messages that tcp / ip cant work around leading to excessive packets being sent and never arriving.

nunz

1421 posts

Uber Geek
Inactive user

#2056477 15-Jul-2018 14:53

hio77:

nunz:

Off the bat - google dns (8.8.8.8 and 8.8.4.4) respond. If anything was liable to attack it is those two servers. You crack those and half the world is pwned by you. You DOS them and half the world has its systems crawl to a halt.

How many routers and people use those settings?

If Google can do it for those two - surely TCom and others can let your router gateway, on their private network, do that.

Those "two servers" are not two.

they may share the same ip, but it is Anycast, Just as anything google tend to do, is very much horizontally scaled, silently.

As noted above by many others, there is plenty of valid reasons for and against it.

Also, it's spark, not telecom.

they days when it was one big blob are far past.

Hi,

Was aware it is a distributed system - but it must still be prone to attack.

Are you saying TCom don't run servers which may or may not respond to icmp? :b

hio77

12999 posts

Uber Geek

ID Verified

Trusted

Lizard Networks

#2056480 15-Jul-2018 15:06

nunz:
Hi,

Was aware it is a distributed system - but it must still be prone to attack.

Are you saying TCom don't run servers which may or may not respond to icmp? :b

Telecom don't run servers, they dont exist in this day.

Spark have plenty that respond to icmp. Simply not our borders.
This isn't a configuration that is likely to ever change.

I've worked with quite a few international data centers. This configuration was often. Common there too.

Your still comparing a dns sever to a border router.
Apple compared to bananas dude...

Honestly imo I'd prefer we just didn't waste the cycles on icmp; while it likely would be next to no difference, there isn't an actual usecase past pingplotter.

Ofwhich, pingplotter isn't a utility we use.

At this stage, I'm stepping out of this thread.
The policy won't be changed based off this thread, and even if it did that wouldn't be my call.

Our network folk that do feature on here are ammazing. They know what they are doing. They have a reason for everything, which might not always fit every customers needs.

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#2056497 15-Jul-2018 16:09

nunz:

hio77:

nunz:

Off the bat - google dns (8.8.8.8 and 8.8.4.4) respond. If anything was liable to attack it is those two servers. You crack those and half the world is pwned by you. You DOS them and half the world has its systems crawl to a halt.

How many routers and people use those settings?

If Google can do it for those two - surely TCom and others can let your router gateway, on their private network, do that.

Those "two servers" are not two.

they may share the same ip, but it is Anycast, Just as anything google tend to do, is very much horizontally scaled, silently.

As noted above by many others, there is plenty of valid reasons for and against it.

Also, it's spark, not telecom.

they days when it was one big blob are far past.

Hi,

Was aware it is a distributed system - but it must still be prone to attack.

Are you saying TCom don't run servers which may or may not respond to icmp? :b

Somebody attacking 8.8.8.8 or 8.8.4.4 would merely take down the local Google DNS node - of which there would be hundred (if not thousands) of worldwide, and the affect could be as minimal as impacting Google DNS requests from a single RSP.

There are a myriad of reasons why ICMP is blocked or heavily deprioritised on core routers, and most of these are discussed in this thread. This is simply regarded as best practice by many, and nothing will change that.

Talkiet

4793 posts

Uber Geek

Trusted

#2056550 15-Jul-2018 16:39

sbiddle:

[snip]

There are a myriad of reasons why ICMP is blocked or heavily deprioritised on core routers, and most of these are discussed in this thread. This is simply regarded as best practice by many, and nothing will change that.

To be fair, it's generally only regarded as best practice by those in the industry with experience of dealing with highly scaled networks or services. It just doesn't make sense to end users or those with experience in small business or even enterprise networks.

How often does a business or enterprise run out of CPU on a router (Unless it's doing DPI)? Basically never.

I race a cheap lotus 7 replica and it really frustrates me that the Formula 1 teams do some things that are clearly wrong. I think they should change what they do because based on what I know, some of their practices are just pointless or even hurt their performance.

Cheers - N

Please note all comments are from my own brain and don't necessarily represent the position or opinions of my employer, previous employers, colleagues, friends or pets.