ICMP can be blocked or allowed, or one can instead allow the good stuff and block the unnecessary stuff. This paper should give the quick details on which is which. Gleaned from Shane Castle on the Security Catalyst forums.
One thought on “the good and bad types of icmp”
Comments are closed.
echo-reply is the most dangerous traffic you can allow outbound (the only direction you should really care about) from your network. although you may get hit with inbound echo-reply if someone targets you. all smurf traffic is echo-reply because it works on the icmp amplification concept, which is the theory behind all reflection attacks (DRDoS, but that GRC.com guy gets a lot things wrong normally). the only sure fire way to prevent outbound echo-reply traffic en-mass is to rate-limit it (or create some sort of complex filter on the tools used to create the traffic). if you rate-limit inbound echo-reply traffic, this does not solve the amplification problem unless used along with a triggered blackhole null route or similar. globally, the solution is spoofing countermeasures.
the second most dangerous icmp type would be unreachables (again, on the outbound). it may be wise to rate-limit these, but certainly be careful with this. again, spoofing countermeasures solve this if globally configured (see rfc2827 and rfc3704 for possible solutions).
there are also other icmp types that you may consider opening, such as squench (source quench). i’m not sure why they removed these, probably because they are rarely in use anymore.
many isp’s have removed the ability to send echo-reply traffic by “protecting the infrastructure“.