[CentOS] Ping and traceroute...

Tony Placilla aplacil1 at jhuadig.admin.jhu.edu
Fri Jan 23 17:54:41 UTC 2009 


>>> On Fri, Jan 23, 2009 at 12:41 PM, in message
<a937d2190901230941v363570e3u4f64d942f847e2bb at mail.gmail.com>, "Jacques B."
<jjrboucher at gmail.com> wrote: 
> On 1/23/09, John Doe <jdmls at yahoo.com> wrote:
>> Hi everybody,
>>
>> Right now, we are blocking pings and traceroutes to our website.
>> But, in order for our members to test the connection when they are 
> experiencing slow browsing, we are thinking about unblocking them...
>> Are there still any security issues (flooding, etc...) in enabling them or 
> is that an old problem fixed a long time ago?
>>
>> Thanks,
>> JD
> 
> Can't help you on that specific question.  However do you have the
> luxury of having your members coming from a block of IPs so you could
> open pings to that block only.  Even if it included more than just
> your members (i.e. all pings from a particular ISP or geographical
> area) at least it would reduce your visibility thus reduce your
> vulnerability should it be an issue.
> 
> Jacques B.

Blocking ping has always been a pet peeve of mine. Aside from violating RFC-1122 (3.2.2.6 Echo Request/Reply: RFC-792 Every host MUST implement an ICMP Echo server function that receives Echo Requests and sends corresponding Echo Replies.) 

It provides *no* additional security & makes troubleshooting network issues that much more difficult.

this was on an ipfw list.

"Also, when blocking incoming ICMP requests and replies, please, please,
*please* take care to NOT block type 3 (destination unreachable) -
blocking 'need to fragment' packets (type 3, code 4) is a way to instant
gratification, if your idea of gratification is being a blackhole router
which breaks the Path MTU discovery for any poor soul who decides (or
simply has to) route through you, and for your own outgoing connections,
too.

Other useful ICMP types are 0 (echo/ping reply), 4 (source quench, for
throttling down (usually) TCP connections if some device further down
the path cannot handle the packet rate), 8 (echo/ping request), 30
(Windows traceroute), but you *could* block those without much harm to
the TCP/IP protocol stack, the only thing harmed would be functionality
- e.g. blocking types 0 and 8 would deprive you of pings, blocking type
30 would stop Windows traceroute from working, blocking type 4 would
mean that TCP connections going over a much slower link somewhere down
the line would be additionally slowed down by lots of retransmissions
instead of simply bringing down the packet rate. However, whatever you
block, please don't block type 3 code 4, and better not block any of the
type 3's :) "

my $0.02


Tony Placilla <aplacilla at jhu.edu>
Sr. UNIX Systems Administrator
The Sheridan Libraries
Johns Hopkins University

More information about the CentOS mailing list