What are reasons to disallow ICMP on my server?

ICMP consists of a large collection of commands. Disallowing all of those will break your network in strange ways.

ICMP allows things like "traceroute" and "ping" (ICMP echo request) to work. Thus that part is quite useful for normal diagnostics. It also is used for feedback when you run a DNS server (port unreachable) which, in a modern DNS server, may actually help select a different machine to query faster.

ICMP is used for path MTU discovery. Chances are your OS sets "DF" (do not fragment) on TCP packets it sends. It is expecting to get an ICMP "fragmentation required" packet back if something along the path fails to handle that size of packet. If you block all ICMP, your machine will have to use other fallback mechanisms, which basically use a timeout to detect a PMTU "black hole" and will never optimize correctly.

There are probably a few more good reason to enable most of ICMP.

Now as your question why to disable:

Reasons to disable part of ICMP are:

  • Protection from old style worms which used ICMP echo request (aka ping) to see if a host was alive before trying to attack it. These days, a modern worm tries it anyways, making that no longer effective.
  • Hiding your infrastructure. If you want to do this, then please block it at the edge of your network. Not on every single computer. That will just cause your admin to pull all the hair from his or her head in frustration when something goes wrong and all the normal analysis tools fail. (In this case: Amazon could block it at the edge of the cloud).
  • Denial of service attacks based on ICMP. Handle these the same as other DOS attacks: Rate limit.
  • The only valid one: If you are on an unsafe network, you might want to block or disable the router has changed command. Obfix: use your servers on a safe network.

Note that there are 'server hardening' manuals out there that advise to block ICMP. They are wrong (or at least not detailed enough). They fall in the same category as wireless 'security' via MAC filtering or hiding the SSID.

Tags:

Security

Administration

Icmp

Ubuntu Server

Related

How do I calculate the total difference between two columns of figures in Google spreadsheet/Excel? How to copy the text displayed in an HTML dropdown list (<select>)? Find all videos less than x seconds in length Connect to two LAN networks with a single card What processes, if any, exist between PIDs 0 and 4 on Windows 7? Sublime Text 2: Disable cursor position overwriting characters (like vim replace mode) Port Forwarding to a VMware Workstation Virtual Machine Is there any way to turn on my "Out of Office" automatic replies when an event in the calendar is marked "out of office"? ffmpeg/avconv force scaled output to be divisible by 2 VirtualBox - guest Ubuntu loses DNS when host connects to VPN Find filenames with certain pattern on Windows command line? Is there a way to supress any interactive prompts in a PowerShell script?

Recent Posts