[lug] drop vs reject - ping?
Nate Duehr
nate at natetech.com
Mon Sep 24 23:27:21 MDT 2007
gordongoldin at aim.com wrote:
> I also thought [ dropping was better than reject ]was better from a security
>
> perspective. ... No reply "hides" the server and might prevent
>
> further attempts.
>
>
>
> This is what I have read.
>
> Also, I have seen a recommendation to "tighten down" ping cause it has
> been used in DOS "overwhelm with traffic" attacks.
>
> But then I have wasted much time trying to ping something before finding
> that ping wouldn't work anyway... ;-)
Since PING uses "unintended features" of ICMP, you're usually really
blocking inbound ICMP Echo-Request packets at firewalls, if you're
"blocking PING". (Ping is just one implementation of how to use the
protocol and packets. The good old "Packet InterNet Groper"...
(And "dig" is the DNS Internet Groper... of course. GRIN...)
Blocking Echo-Request is reasonable in most cases, but blocking *all*
ICMP protocol packets, can lead to unintentional collateral damage or
problems with your network. Not huge problems always, but somethings
need certain ICMP responses to work properly. (Path MTU detection being
a commonly seen one, that helps your path to/from the far-end machine
quite a bit, but that the routers in-between can "fix" if you're
fragmenting packets. Not a big deal, just not "ideal".)
Nate
More information about the LUG
mailing list