Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Vista
Security Basics
Removing ping/icmp from a network Mar 25 2008 04:29PM
Secure This (lists securethis net) (7 replies)
Re: Removing ping/icmp from a network Mar 26 2008 02:55PM
Jason Thompson (securitux gmail com) (4 replies)
Re: Removing ping/icmp from a network Mar 28 2008 05:02AM
Michael Painter (tvhawaii shaka com)
RE: Removing ping/icmp from a network Mar 26 2008 07:29PM
Joachim Thuau (jthuau heavy-iron com)
Re: Removing ping/icmp from a network Mar 26 2008 07:08PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) (2 replies)
On 2008-03-26 Jason Thompson wrote:
> ICMP is not vital for network operation, though it is convenient. PING
> isn't required at all,

Neither is traceroute. Yet I'd hate to be without without either of
them.

> ICMP unreachable messages don't do anything other than notify the
> receiver to stop trying to connect to a destination as it isn't alive
> (the receiver should get a hint of this when his SYN's don't get a SYN
> ACK),

Destination unreachable messages do quite a bit more than "notify the
receiver to stop trying to connect", since they code field carries the
information *why* the destination wasn't reached. Maybe that's not so
important for joe.average@home, but it's pretty darn important for any
network admin.

> ICMP redirects shouldn't happen if your network is structured
> properly, and even if it's not, it just adds an extra hop.

What about "time exceeded"? What about "parameter problem"? What about
"source quench"?

> I don't see any ICMP messages that are a MUST for network operation.

No, they're not a MUST. Connections can also just silently fail, leaving
you as a network admin at a total loss as to *why* they're failing.
Brilliant idea, really.

> That being said, if network monitoring is being done via SNMPv1 or v2
> which isn't secure at all, ICMP is the least of your problems. I agree
> with a few here that you allow ICMP from trusted to untrusted, but not
> vice versa. And definitely NO ICMP from the Internet.

What the heck is so freakin' scary about inbound echo requests? (to
public IP addresses, that is)

ICMP is not "teh evil(tm)". It's a part of the Internet Protocol suite,
and it's there for a reason.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

[ reply ]
Re: Removing ping/icmp from a network Mar 27 2008 04:25PM
Jason (securitux gmail com) (2 replies)
Re: Removing ping/icmp from a network Mar 27 2008 11:29PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) (1 replies)
Re: Removing ping/icmp from a network Mar 28 2008 04:34PM
Jason (securitux gmail com) (1 replies)
Re: Removing ping/icmp from a network Mar 29 2008 07:35PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) (1 replies)
Re: Removing ping/icmp from a network Mar 31 2008 10:29PM
Jason (securitux gmail com) (1 replies)
Re: Removing ping/icmp from a network Apr 04 2008 12:28PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) (2 replies)
Re: Removing ping/icmp from a network Apr 05 2008 05:17PM
Mark Owen (mr markowen gmail com) (1 replies)
Re: Removing ping/icmp from a network Apr 07 2008 03:27PM
Jason (securitux gmail com)
Re: Removing ping/icmp from a network Apr 05 2008 12:06AM
Jason (securitux gmail com) (1 replies)
Re: Removing ping/icmp from a network Apr 06 2008 02:54PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) (1 replies)
Re: Removing ping/icmp from a network Apr 07 2008 04:53PM
Jason (securitux gmail com)
Re: Removing ping/icmp from a network Mar 27 2008 05:09PM
Mark Owen (mr markowen gmail com) (2 replies)
Re: Removing ping/icmp from a network Mar 27 2008 06:52PM
Jason (securitux gmail com) (1 replies)
Re: Removing ping/icmp from a network Mar 27 2008 08:49PM
Michael Painter (tvhawaii shaka com) (2 replies)
RE: Removing ping/icmp from a network Mar 28 2008 12:13AM
Craig Wright (Craig Wright bdo com au)
Re: Removing ping/icmp from a network Mar 27 2008 11:48PM
Razi Shaban (razishaban gmail com) (2 replies)
RE: Removing ping/icmp from a network Mar 28 2008 03:07PM
Adewale, Akin (IT Services - Infosec Team) (Akin Adewale capita co uk)
Re: Removing ping/icmp from a network Mar 28 2008 04:27AM
Michael Painter (tvhawaii shaka com) (2 replies)
RE: Removing ping/icmp from a network Mar 28 2008 04:49PM
Ric Messier (kilroy WasHere COM)
Re: Removing ping/icmp from a network Mar 28 2008 04:44PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) (1 replies)
Re: Removing ping/icmp from a network Mar 30 2008 01:32AM
Michael Painter (tvhawaii shaka com) (1 replies)
Re: Removing ping/icmp from a network Apr 01 2008 12:13PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net)
R: Removing ping/icmp from a network Mar 27 2008 06:33PM
Vega - Brunello Ivan (I Brunello vegaspa it)
RE: Removing ping/icmp from a network Mar 26 2008 09:47PM
Craig Wright (Craig Wright bdo com au)
RE: Removing ping/icmp from a network Mar 26 2008 04:24PM
Worrell, Brian (BWorrell isdh IN gov)
RE: Removing ping/icmp from a network Mar 26 2008 12:30AM
Strykar (str hackerzlair org) (2 replies)
RE: Removing ping/icmp from a network Mar 26 2008 11:42PM
Murda Mcloud (murdamcloud bigpond com)
RE: Removing ping/icmp from a network Mar 26 2008 10:50PM
Murda Mcloud (murdamcloud bigpond com)
Re: Removing ping/icmp from a network Mar 25 2008 10:12PM
Ivan . (ivanhec gmail com)
Re: Removing ping/icmp from a network Mar 25 2008 05:53PM
Mark Owen (mr markowen gmail com)
Re: Removing ping/icmp from a network Mar 25 2008 05:32PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net)
Re: Removing ping/icmp from a network Mar 25 2008 05:17PM
Jon R. Kibler (Jon Kibler aset com) (1 replies)
Re: Removing ping/icmp from a network Mar 26 2008 12:13PM
Secure This (lists securethis net) (1 replies)
DoD aproved disk wiping tool Mar 27 2008 01:31PM
JP Vicente (jvicente asft net) (4 replies)
RE: DoD approved disk wiping tool Mar 27 2008 11:38PM
Steve Armstrong (stevearmstrong logicallysecure com) (1 replies)
Re: DoD approved disk wiping tool Mar 28 2008 04:16PM
Hattrickinc (hattrickinc gmail com)
RE: DoD aproved disk wiping tool Mar 27 2008 07:50PM
Kevin Ortloff (Kevin Ortloff j2global com) (1 replies)
RE: DoD aproved disk wiping tool Mar 27 2008 09:59PM
Arbogast, Paul (Citco) (PArbogast citco com)
Re: DoD aproved disk wiping tool Mar 27 2008 04:56PM
John Syers (jsyers acm org) (1 replies)
Re: DoD aproved disk wiping tool Mar 27 2008 07:20PM
postmaster (postmaster impole com) (1 replies)
Re: DoD aproved disk wiping tool Mar 27 2008 07:18PM
Tremaine Lea (tremaine gmail com)
RE: DoD aproved disk wiping tool Mar 27 2008 03:21PM
Timmothy Lester (Timmothy Lester primeadvisors com)
RE: Removing ping/icmp from a network Mar 25 2008 04:56PM
Hopke, Greg (GHopke libertymgt com) (1 replies)
Re: Removing ping/icmp from a network Mar 25 2008 06:12PM
Mark Owen (mr markowen gmail com) (2 replies)
RE: Removing ping/icmp from a network Mar 26 2008 01:58PM
Ramsdell, Scott (Scott Ramsdell cellnethunt com) (1 replies)
Re: Removing ping/icmp from a network Mar 26 2008 06:44PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) (1 replies)
RE: Removing ping/icmp from a network Mar 27 2008 02:19PM
Ramsdell, Scott (Scott Ramsdell cellnethunt com) (1 replies)
Re: Removing ping/icmp from a network Mar 27 2008 02:34PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net)
Re: Removing ping/icmp from a network Mar 25 2008 08:11PM
Fabio Fagundes (fabio fagundes gmail com)







 

Privacy Statement
Copyright 2008, SecurityFocus