Firewall stateful handling of ICMP packets
cbrenton at chrisbrenton.org
Thu Dec 4 11:55:12 UTC 2003
On Wed, 2003-12-03 at 22:09, Jamie Reid wrote:
> This was a problem when filtering Nachi while it pinged networks
> to their knees.
I think the problem was exasperated by the fact that some ISP's
responded by blocking _all_ ICMP. Its bad enough that this killed their
own ability to see if their hardware was up or down, it also amplified
traffic as ICMP errors were no longer returned (due to retransmits and
now being prime address space for spoofing).
> Sometimes I wonder if there is any legitimate reason to allow
> pings from users at all.
This all comes down to the SLA. For home users, you can probably get
away with it. For business level connections, "not knowing" and killing
the service can have financial repercussions.
Of course we're talking about addressing a symptom, not a problem. The
"problem" is not ICMP Type 8's, the problem is systems that are
unprotected and users that can't figure out when the box has been
whacked. Personally, I was bummed that my all Linux/BSD network could
not use Type 8's because my upstream was filtering them due to Windows
boxes getting whacked with Nachi.
A couple of other people mentioned rate limiting. That is probably the
best option. Of course supporting it can drive up hardware costs.
> If the user really needed to use
> ping, that is, if they were in a position to do anything about the
> results of the ping tests, then they would know enough to
> use traceroute in UDP mode or some other tool.
Could be UDP is blocked while type 8's are not. Could be they are on a
Windows box which uses type 8's for tracing rather than UDP.
> There are lots of other useful ICMP types to handle all
> the other ICMP needs, but ping seems to be something
> that was created for the convenience of a kind of user
> that is effectively extinct in todays Internet.
There are a *ton* of companies out there that monitor system up status
via Type 8's over the Internet. I'm not saying its a good idea or that
there are not other options. Just that it would break a ton of business
models if it goes away.
> ICMP echo is unique among ICMP types in that it is the
> only one that elicits it's own response.
What about subnet mask request? time stamp request? Information request?
There are probably others as well.
> There is nothing that echos
> do that SNMP (I know, I know) and traceroute don't
> accomplish in a more controlled fashion, no?
EEEK! SNMP opens up a point of accessing code running on the device. As
for traceroute, if all I'm interested in is the endpoint, I've generated
a ton of unnecessarily traffic. Given an average 15 hop distance between
Internet hosts, that would be 90 traceroute packets to do the job, Vs.
Ping only needing 2. Sure I can tweak the start and stop hop count
(actually Windows does not let you set the min starting hop) to drop
this quantity, but how many users are going to bother?
> It would kill alot of DDoS attacks and render their zombie
> networks useless,
I seem to remember we said the same thing about killing Smurf amplifier
networks. The black hats just changed tactics and started whacking a ton
of hosts. Killing Type 8's will not cure "the problem", as the problem
is totally capable of mutating into something that will still be
effective (like SYN flooding).
More information about the NANOG