Web Application Security
Re: Should or shouldn't block public ping to a website Sep 07 2011 06:15AM
ShiYih Lye (shiyih lye my offgamers com) (2 replies)
Re: Should or shouldn't block public ping to a website Sep 09 2011 10:47PM
John Hall (j hall f5 com)
Re: Should or shouldn't block public ping to a website Sep 09 2011 01:12PM
Andre Correa (andre correa pobox com)

Lye,

as a good practice, I usually selectively allow ICMP traffic. There are
many ICMP types and codes and you don't need or want them all going in
and out of your network.

http://www.iana.org/assignments/icmp-parameters

My suggestion is to permit ICMP types 0, 3, 8, 11, enough to allow
"ping" and Windows traceroute in an IPv4 network.

Hope it helps.

Regards.

Andre

Em 07/09/2011 03:15, ShiYih Lye escreveu:
> hi,
>
> What Todd said is pretty true, and that is what playing in my mind,
> "what does blocking ICMP ping from public will buy me ?"
>
> I have some other suggest me to use TCP traceroute to solve the issue
> of not being able to get the traceroute result from my user during
> troubleshooting. But the problem is, those website user just ordinary
> shopper and they are almost all using Windows machine. Windows default
> tracert is not able to do TCP traceroute, I believe. My site is
> getting more weird routing issue from user around the world recently,
> so I really need to know what part of my user's route is blocking us.
> I can't ask a normal shopper to install network tools to help
> troubleshoot the issue when what they want is a 5 minutes to settle
> their needs. They will just go to other sites.
>
> I think there is not much benefit of dropping ICMP from the public
> compare with the bones it gives, at least for a ebusiness website,
> doesn't it ? Anyone having different view is most welcome to chip in
> your thought :)
>
> Regards,
> Lye
>
> On Tue, Sep 6, 2011 at 11:35 PM, Todd Haverkos<infosec (at) haverkos (dot) com [email concealed]> wrote:
>>
>> ShiYih Lye<shiyih.lye (at) my.offgamers (dot) com [email concealed]> writes:
>>> Hi,
>>>
>>> All this while I'm not allowing any public ping to the website I'm
>>> maintaining, but it's making me tougher to troubleshoot should any
>>> user from the globe having trouble to access our website, as I can't
>>> make them to send a proper traceroute report.
>>>
>>> To your opinion, is it necessary to block public ping to a public
>>> website ? Is this security practice still relevant in today exploit
>>> technology ?
>>>
>>> And if you think it's still necessary, how do I make sure my user's
>>> traceroute still work when all ICMP is dropped from public ?
>>>
>>> Thanks for any input, appreciated that.
>>>
>>> Regards,
>>> Lye
>>
>> I agree with you--it's more headache than it's worth if supporting a
>> public site with lots of users. Your site certainly isn't trying to
>> hide, and attackers don't even need to actively scan to find it
>> (i.e. search indexes surely know about it), you're in public dns
>> likely at www.youdomain.com, vuln scanner's notion of "host aliveness"
>> checks includes trying tcp connections to port 80 and many others.
>> You might miss the crosshairs of _some_ script kiddies by not
>> responding to ping, but really, what will that buy you? Probably next
>> to nothing.
>>
>> On the down side, telling people to "try to telnet to port 80" as a
>> test of connectivity gets old quickly, and the issue you mention of
>> traceroute is another good reason to forgo this anachronism.
>>
>> Of course as soon as we all agree on this, some obtuse overflow on
>> maliciously formed ICMP packets will be discovered next week where
>> denying ICMP will have saved us. Ah, the risk management fun of
>> balancing known and unknown unknowns. :-)
>>
>> Best Regards,
>> --
>> Todd Haverkos, LPT MsCompE
>> http://haverkos.com/
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus