Web Application Security
RE: Should or shouldn't block public ping to a website Sep 14 2011 09:38AM
Martin O'Neal (martin oneal corsaire com)

> I think the point of a number of previous posters
> is that there ARE requirements for certain of the
> ICMP subcodes in order for the Internet to work
> properly - ICMP Do not fragment being one which
> is required for Path MTU discovery, for example.
> Stuff still works without it, but not as well as
> it could with it allowed.
>
> Rogan

Hey chap!

ICMP is not universally a bad thing, however for the web server example
that started the thread:

There are some outbound ICMP messages that shouldn't be filtered,
because they genuinely make things work better (tm).

This is also true for a collection of inbound/outbound ICMP and the
last-hop router.

However, inbound ICMP to the web server itself? Not really.

For the explicit example of packet size and PMTUD, I have personally
found that MSS tweaking is a more practical solution to the challenge
(at least until a better solution is ratified). In practice it works
well enough, and needs no more than the explicit TCP port to be exposed.
PMTUD, in comparison, is a poorly designed solution which leaves a site
open to potential attacks, such as those used in CAN-2004-1060.

Martin...

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus