Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




1384 posts

Uber Geek

Subscriber

# 239324 12-Jul-2018 10:10
Send private message

In a recent post I was told ICMP / Pings / Tracert  packets were disabled by the ISP. I was told this is good practice.

 

iknow there are ways to attack ICMP, (e.g. SMURF) but if the ISP is routing those packets onto other servers, while disabling their servers from reposnding to the packets, are they not going to experience the same issues of DOS and data over load? Either they should disable ping packet routing (and not just reposnse) or enable the lot surely. Any thoughts?

 

 

There are many valid reasons for deprotization of ICMP, just as there are for no responding at all.

 

How it looks on tools such as pingplotter is a unfortunate side-affect however, even pingplotter supports alternative methods such as unix style (udp) pings that will preform differently.

 

 

@hio77

 

 





nunz

Create new topic
15255 posts

Uber Geek

Trusted
Subscriber

  # 2054821 12-Jul-2018 10:15
Send private message

There's plenty of good articles about this. One, two, three.


'That VDSL Cat'
11062 posts

Uber Geek

Trusted
Spark
Subscriber

  # 2054822 12-Jul-2018 10:17
Send private message

As above, plenty of valid reasons.

 

 

 

other folk explained this in that thread who are far closer to the core than i too.





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


 
 
 
 


3880 posts

Uber Geek

Trusted
Lifetime subscriber

  # 2054971 12-Jul-2018 12:56
One person supports this post
Send private message

To me it's one of those "what's your favourite colour" questions.. There isn't a right answer..

 

With blocking ICMP there are reasons for and against it, I personally go with "allow it unless it's a very high security environment".





Information wants to be free. The Net interprets censorship as damage and routes around it.


'That VDSL Cat'
11062 posts

Uber Geek

Trusted
Spark
Subscriber

  # 2054974 12-Jul-2018 12:58
Send private message

Lias:

 

To me it's one of those "what's your favourite colour" questions.. There isn't a right answer..

 

With blocking ICMP there are reasons for and against it, I personally go with "allow it unless it's a very high security environment".

 

 

You missed the gold in that one!

 

It's like one of those "should you openly peer" questions.

 

 

 

That's one i'm glad i don't have a hand in managing.

 

So many reasons for, so many reasons against; it can be argued both ways depending on situation and usecase.





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


3880 posts

Uber Geek

Trusted
Lifetime subscriber

  # 2054978 12-Jul-2018 13:02
Send private message

hio77:

 

Lias:

 

To me it's one of those "what's your favourite colour" questions.. There isn't a right answer..

 

With blocking ICMP there are reasons for and against it, I personally go with "allow it unless it's a very high security environment".

 

 

You missed the gold in that one!

 

It's like one of those "should you openly peer" questions.

 

 

 

That's one i'm glad i don't have a hand in managing.

 

So many reasons for, so many reasons against; it can be argued both ways depending on situation and usecase.

 

 

nah only evil companies don't offer free peering :-P





Information wants to be free. The Net interprets censorship as damage and routes around it.




1384 posts

Uber Geek

Subscriber

  # 2056456 15-Jul-2018 14:17
Send private message

hio77:

 

Lias:

 

To me it's one of those "what's your favourite colour" questions.. There isn't a right answer..

 

With blocking ICMP there are reasons for and against it, I personally go with "allow it unless it's a very high security environment".

 

 

You missed the gold in that one!

 

It's like one of those "should you openly peer" questions.

 

 

 

That's one i'm glad i don't have a hand in managing.

 

So many reasons for, so many reasons against; it can be argued both ways depending on situation and usecase.

 

 

Off the bat - google dns (8.8.8.8 and 8.8.4.4) respond.  If anything was liable to attack it is those two servers. You crack those and half the world is pwned by you. You DOS them and half the world has its systems crawl to a halt.  

 

How many routers and people use those settings?

 

If Google can do it for those two - surely TCom and others can let your router gateway, on their private network, do that.

 

 

 

 





nunz

'That VDSL Cat'
11062 posts

Uber Geek

Trusted
Spark
Subscriber

  # 2056457 15-Jul-2018 14:23
Send private message

nunz:

 

Off the bat - google dns (8.8.8.8 and 8.8.4.4) respond.  If anything was liable to attack it is those two servers. You crack those and half the world is pwned by you. You DOS them and half the world has its systems crawl to a halt.  

 

How many routers and people use those settings?

 

If Google can do it for those two - surely TCom and others can let your router gateway, on their private network, do that.

 

 

Those "two servers" are not two.

 

 

 

they may share the same ip, but it is Anycast, Just as anything google tend to do, is very much horizontally scaled, silently.

 

As noted above by many others, there is plenty of valid reasons for and against it.

 

 

 

Also, it's spark, not telecom.

 

they days when it was one big blob are far past.

 

 





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


 
 
 
 




1384 posts

Uber Geek

Subscriber

  # 2056470 15-Jul-2018 14:35
Send private message

timmmay:

 

There's plenty of good articles about this. One, two, three.

 

 

 

 

Thanks - am reading: However had to note that the first lines of "ICMP, The good, bad and ..." state: "the reasons why this (blocking) is not an effective security measure against any level of targeted attack, and side effects of blocking ICMP that break legitimate network functionality"

 

and link two: "...required by IPv6 to operate normally...."

 

 

 

That and the general consensus that it decreases network efficiency (by removing packet information and routing options) means it should be left running (but malicious packets filtered).

 

That's especially true of the fragmentation messages that tcp / ip cant work around leading to excessive packets being sent and never arriving.





nunz



1384 posts

Uber Geek

Subscriber

  # 2056477 15-Jul-2018 14:53
Send private message

hio77:

 

nunz:

 

Off the bat - google dns (8.8.8.8 and 8.8.4.4) respond.  If anything was liable to attack it is those two servers. You crack those and half the world is pwned by you. You DOS them and half the world has its systems crawl to a halt.  

 

How many routers and people use those settings?

 

If Google can do it for those two - surely TCom and others can let your router gateway, on their private network, do that.

 

 

Those "two servers" are not two.

 

 

 

they may share the same ip, but it is Anycast, Just as anything google tend to do, is very much horizontally scaled, silently.

 

As noted above by many others, there is plenty of valid reasons for and against it.

 

 

 

Also, it's spark, not telecom.

 

they days when it was one big blob are far past.

 

 

 

 

Hi,

 

Was aware it is a distributed system - but it must still be prone to attack.

 

Are you saying TCom don't run servers which may or may not respond to icmp? :b

 

 





nunz

'That VDSL Cat'
11062 posts

Uber Geek

Trusted
Spark
Subscriber

  # 2056480 15-Jul-2018 15:06
One person supports this post
Send private message

nunz:

Hi,


Was aware it is a distributed system - but it must still be prone to attack.


Are you saying TCom don't run servers which may or may not respond to icmp? :b


 



Telecom don't run servers, they dont exist in this day.

Spark have plenty that respond to icmp. Simply not our borders.
This isn't a configuration that is likely to ever change.

I've worked with quite a few international data centers. This configuration was often. Common there too.

Your still comparing a dns sever to a border router.
Apple compared to bananas dude...


Honestly imo I'd prefer we just didn't waste the cycles on icmp; while it likely would be next to no difference, there isn't an actual usecase past pingplotter.

Ofwhich, pingplotter isn't a utility we use.

At this stage, I'm stepping out of this thread.
The policy won't be changed based off this thread, and even if it did that wouldn't be my call.

Our network folk that do feature on here are ammazing. They know what they are doing. They have a reason for everything, which might not always fit every customers needs.




#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


28278 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 2056497 15-Jul-2018 16:09
Send private message

nunz:

 

hio77:

 

nunz:

 

Off the bat - google dns (8.8.8.8 and 8.8.4.4) respond.  If anything was liable to attack it is those two servers. You crack those and half the world is pwned by you. You DOS them and half the world has its systems crawl to a halt.  

 

How many routers and people use those settings?

 

If Google can do it for those two - surely TCom and others can let your router gateway, on their private network, do that.

 

 

Those "two servers" are not two.

 

 

 

they may share the same ip, but it is Anycast, Just as anything google tend to do, is very much horizontally scaled, silently.

 

As noted above by many others, there is plenty of valid reasons for and against it.

 

 

 

Also, it's spark, not telecom.

 

they days when it was one big blob are far past.

 

 

 

 

Hi,

 

Was aware it is a distributed system - but it must still be prone to attack.

 

Are you saying TCom don't run servers which may or may not respond to icmp? :b

 

 

 

 

Somebody attacking 8.8.8.8 or 8.8.4.4 would merely take down the local Google DNS node  - of which there would be hundred (if not thousands) of worldwide, and the affect could be as minimal as impacting Google DNS requests from a single RSP.

 

There are a myriad of reasons why ICMP is blocked or heavily deprioritised on core routers, and most of these are discussed in this thread. This is simply regarded as best practice by many, and nothing will change that.

 

 

 

 


4201 posts

Uber Geek

Trusted

  # 2056550 15-Jul-2018 16:39
3 people support this post
Send private message

sbiddle:

 

[snip]

 

There are a myriad of reasons why ICMP is blocked or heavily deprioritised on core routers, and most of these are discussed in this thread. This is simply regarded as best practice by many, and nothing will change that.

 

 

To be fair, it's generally only regarded as best practice by those in the industry with experience of dealing with highly scaled networks or services. It just doesn't make sense to end users or those with experience in small business or even enterprise networks.

 

How often does a business or enterprise run out of CPU on a router (Unless it's doing DPI)? Basically never.

 

I race a cheap lotus 7 replica and it really frustrates me that the Formula 1 teams do some things that are clearly wrong. I think they should change what they do because based on what I know, some of their practices are just pointless or even hurt their performance.

 

Cheers - N

 

 





--

 

Please note all comments are the product of my own brain and don't necessarily represent the position or opinions of my employer, previous employers, colleagues, friends or pets.


Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

OPPO Reno2 Series lands, alongside hybrid noise-cancelling Wireless Headphones
Posted 24-Oct-2019 15:32


Waikato Data Scientists awarded $13 million from the Government
Posted 24-Oct-2019 15:27


D-Link launches Wave 2 Unified Access Points
Posted 24-Oct-2019 15:07


LG Electronics begins distributing the G8X THINQ
Posted 24-Oct-2019 10:58


Arlo unveils its first video doorbell
Posted 21-Oct-2019 08:27


New Zealand students shortlisted for James Dyson Award
Posted 21-Oct-2019 08:18


Norton LifeLock Launches Norton 360
Posted 21-Oct-2019 08:11


Microsoft New Zealand Partner Awards results
Posted 18-Oct-2019 10:18


Logitech introduces new Made for Google keyboard and mouse devices
Posted 16-Oct-2019 13:36


MATTR launches to accelerate decentralised identity
Posted 16-Oct-2019 10:28


Vodafone X-Squad powers up for customers
Posted 16-Oct-2019 08:15


D Link ANZ launches EXO Smart Mesh Wi Fi Routers with McAfee protection
Posted 15-Oct-2019 11:31


Major Japanese retailer partners with smart New Zealand technology IMAGR
Posted 14-Oct-2019 10:29


Ola pioneers one-time passcode feature to fight rideshare fraud
Posted 14-Oct-2019 10:24


Spark Sport new home of NZC matches from 2020
Posted 10-Oct-2019 09:59



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.