[lug] drop vs reject - ping?

Nate Duehr nate at natetech.com
Mon Sep 24 23:27:21 MDT 2007


gordongoldin at aim.com wrote:
>     I also thought [ dropping was better than reject ]was better from a security
> 
>     perspective.  ...  No reply "hides" the server and might prevent
> 
>     further attempts.  
> 
> 
> 
> This is what I have read.
> 
> Also, I have seen a recommendation to "tighten down" ping cause it has 
> been used in DOS "overwhelm with traffic" attacks.
> 
> But then I have wasted much time trying to ping something before finding 
> that ping wouldn't work anyway...  ;-)

Since PING uses "unintended features" of ICMP, you're usually really 
blocking inbound ICMP Echo-Request packets at firewalls, if you're 
"blocking PING".  (Ping is just one implementation of how to use the 
protocol and packets.  The good old "Packet InterNet Groper"...

(And "dig" is the DNS Internet Groper... of course.  GRIN...)

Blocking Echo-Request is reasonable in most cases, but blocking *all* 
ICMP protocol packets, can lead to unintentional collateral damage or 
problems with your network.  Not huge problems always, but somethings 
need certain ICMP responses to work properly.  (Path MTU detection being 
a commonly seen one, that helps your path to/from the far-end machine 
quite a bit, but that the routers in-between can "fix" if you're 
fragmenting packets.  Not a big deal, just not "ideal".)

Nate



More information about the LUG mailing list