Hi everybody,
Right now, we are blocking pings and traceroutes to our website. But, in order for our members to test the connection when they are experiencing slow browsing, we are thinking about unblocking them... Are there still any security issues (flooding, etc...) in enabling them or is that an old problem fixed a long time ago?
Thanks, JD
On 1/23/09, John Doe jdmls@yahoo.com wrote:
Hi everybody,
Right now, we are blocking pings and traceroutes to our website. But, in order for our members to test the connection when they are experiencing slow browsing, we are thinking about unblocking them... Are there still any security issues (flooding, etc...) in enabling them or is that an old problem fixed a long time ago?
Thanks, JD
Can't help you on that specific question. However do you have the luxury of having your members coming from a block of IPs so you could open pings to that block only. Even if it included more than just your members (i.e. all pings from a particular ISP or geographical area) at least it would reduce your visibility thus reduce your vulnerability should it be an issue.
Jacques B.
On Fri, Jan 23, 2009 at 12:41 PM, in message
a937d2190901230941v363570e3u4f64d942f847e2bb@mail.gmail.com, "Jacques B." jjrboucher@gmail.com wrote:
On 1/23/09, John Doe jdmls@yahoo.com wrote:
Hi everybody,
Right now, we are blocking pings and traceroutes to our website. But, in order for our members to test the connection when they are
experiencing slow browsing, we are thinking about unblocking them...
Are there still any security issues (flooding, etc...) in enabling them or
is that an old problem fixed a long time ago?
Thanks, JD
Can't help you on that specific question. However do you have the luxury of having your members coming from a block of IPs so you could open pings to that block only. Even if it included more than just your members (i.e. all pings from a particular ISP or geographical area) at least it would reduce your visibility thus reduce your vulnerability should it be an issue.
Jacques B.
Blocking ping has always been a pet peeve of mine. Aside from violating RFC-1122 (3.2.2.6 Echo Request/Reply: RFC-792 Every host MUST implement an ICMP Echo server function that receives Echo Requests and sends corresponding Echo Replies.)
It provides *no* additional security & makes troubleshooting network issues that much more difficult.
this was on an ipfw list.
"Also, when blocking incoming ICMP requests and replies, please, please, *please* take care to NOT block type 3 (destination unreachable) - blocking 'need to fragment' packets (type 3, code 4) is a way to instant gratification, if your idea of gratification is being a blackhole router which breaks the Path MTU discovery for any poor soul who decides (or simply has to) route through you, and for your own outgoing connections, too.
Other useful ICMP types are 0 (echo/ping reply), 4 (source quench, for throttling down (usually) TCP connections if some device further down the path cannot handle the packet rate), 8 (echo/ping request), 30 (Windows traceroute), but you *could* block those without much harm to the TCP/IP protocol stack, the only thing harmed would be functionality - e.g. blocking types 0 and 8 would deprive you of pings, blocking type 30 would stop Windows traceroute from working, blocking type 4 would mean that TCP connections going over a much slower link somewhere down the line would be additionally slowed down by lots of retransmissions instead of simply bringing down the packet rate. However, whatever you block, please don't block type 3 code 4, and better not block any of the type 3's :) "
my $0.02
Tony Placilla aplacilla@jhu.edu Sr. UNIX Systems Administrator The Sheridan Libraries Johns Hopkins University
However do you have the luxury of having your members coming from a block of IPs
World wide website... so it is either everything or nothing...
Blocking ping has always been a pet peeve of mine. Aside from violating RFC-1122 (3.2.2.6 Echo Request/Reply: RFC-792 Every host MUST implement an ICMP Echo server function that receives Echo Requests and sends corresponding Echo Replies.)
It provides *no* additional security & makes troubleshooting network issues that much more difficult.
So I guess I will look into adding these rules into shorewall.
Thx for all the answers, JD
John Doe wrote:
Hi everybody,
Right now, we are blocking pings and traceroutes to our website. But, in order for our members to test the connection when they are experiencing slow browsing, we are thinking about unblocking them... Are there still any security issues (flooding, etc...) in enabling them or is that an old problem fixed a long time ago?
a denial of service by ping flooding is going to swamp your connection whether or not your server ignores them. if you're paranoid you can use iptables to rate limit ICMP responses.
On Fri, Jan 23, 2009 at 12:16 PM, John Doe jdmls@yahoo.com wrote:
Right now, we are blocking pings and traceroutes to our website. But, in order for our members to test the connection when they are experiencing slow browsing, we are thinking about unblocking them... Are there still any security issues (flooding, etc...) in enabling them or is that an old problem fixed a long time ago?
Our two web sites do permit ping. I like to ping them from time to time, for various reasons. Both have dedicated IP addresses. The one time one of our sites was attacked, years ago, was someone connecting to the POP3 server every second. Nothing to do with ping or traceroutes.
However, I do not permit our ADSL router at home to be pinged. For security reasons, I think allowing it to be pinged just increases the possibility someone might try to get in.
As a previous reply stated, it may be against the rules to turn it off for your web site.
On Fri, Jan 23, 2009, Lanny Marcus wrote:
On Fri, Jan 23, 2009 at 12:16 PM, John Doe jdmls@yahoo.com wrote:
Right now, we are blocking pings and traceroutes to our website. But, in order for our members to test the connection when they are experiencing slow browsing, we are thinking about unblocking them... Are there still any security issues (flooding, etc...) in enabling them or is that an old problem fixed a long time ago?
Our two web sites do permit ping. I like to ping them from time to time, for various reasons. Both have dedicated IP addresses. The one time one of our sites was attacked, years ago, was someone connecting to the POP3 server every second. Nothing to do with ping or traceroutes.
We generally allow ping at the sites we support, but don't rely on pings to test for systems being alive.
We test system status by doing an xmlrpc call to their web server which should return some useful information in addition to making sure that the system is actually responding to something useful (NICs may return pings even if the underlying system is hung).
Many of our customer's roaming users connect with their home system using OpenVPN, thus being able to access their systems where they might otherwise be blocked.
Bill
On Fri, Jan 23, 2009 at 7:53 PM, Bill Campbell centos@celestial.com wrote:
On Fri, Jan 23, 2009, Lanny Marcus wrote:
On Fri, Jan 23, 2009 at 12:16 PM, John Doe jdmls@yahoo.com wrote:
Right now, we are blocking pings and traceroutes to our website. But, in order for our members to test the connection when they are experiencing slow browsing, we are thinking about unblocking them... Are there still any security issues (flooding, etc...) in enabling them or is that an old problem fixed a long time ago?
<snip>
We generally allow ping at the sites we support, but don't rely on pings to test for systems being alive.
We test system status by doing an xmlrpc call to their web server which should return some useful information in addition to making sure that the system is actually responding to something useful (NICs may return pings even if the underlying system is hung).
<snip> Bill: For xmlpc to work, what do I need to install on my Desktop? Does something need to be installed on the web server also? TIA, ,Lanny
-
Bill Campbell -
Jacques B. -
John Doe -
John R Pierce -
Lanny Marcus -
Tony Placilla