A friend of mine suggested that I disable ICMP via IPChains.

Is there any reason why I should not keep it enabled? (Note: I'm the only one with administrative access to my server.)

It is good to disable it, if you don't really need to ping your server...

ICMP is a protocol used for sending ping requests... it can never be a bad thing to disable it, or allow a max of 3 requests / minute or sth...

Apparently, you should not block all ICMP. Here is the whole debate that took place a while back:

http://www.webhostingtalk.com/showthread.php?threadid=40887&highlight=ICMP+ipsec

That debate kind of went over my head there. I'm still a novice at this server admin stuff.

I talked to another friend and he said I should drop ICMP also since it's causes too many problems.

I have the IPChains firewall and I was wondering if I shut it off completely or only make it accessible to trusted people or something.

ICMP is used for other things than ping replies; there are a number of different types of ICMP packets. Many of these packet types can be used for scanning and/or DoS purposes, which is why people block them. While you can safely block most ICMP packet types it's generally considered a bad idea to disable all ICMP traffic because some of these packet types are important for proper and efficient network operation. Other types of packets are not important but very useful for troubleshooting and can be allowed selectively or rate-limited.

Opinions about exactly what types of packets to allow and what types to block differ, but blocking them all is not a good solution. It may eliminate any security risk associated with this protocol - but the same thing could be said about blocking all TCP traffic, and you wouldn't want to do that...

My whole take on the ICMP thing is to block/not respond to oversized packets. A normal size ping can be harmless unless you are sending it at an alarming rate. Even so, at 56 bytes.. you need to be sending alot of packets to equal any sort of harmful bandwidth. Blocking all type of ICMP can stop traceroutes as well... just a thought... Just my 2 cents.

Kawshen:

Ok... Let's try to clarify this.... ICMP good or bad....

Well... It really depends on a lot of things...

Blocking ICMP will inadvertently diminish the effectiviness of other protocals that rely on it to relay information that isn't permitted in it's native protocal...


So... If this server isn't designed to be a high performance machine (i.e. in internet i/o)... You should be fine....

The better thing would be to find some software that would filter it on the receiving end. Filter out malformed/oversized ICMP packets. Filter packets that arrive from the same source too many times over a period of time etc....

Essentially a firewall :D

My $.02..... Someone flame me and tell me I'm wrong....

i dont see a point in blocking ICMP for one reason.. most ppl block it cuz they think it will prevent them from being DOSed.. which it will and it wont.. sure the packets wont get responded to meaning the impact won't be as bad, however bandwidth is still being used because the traffic is passing the router and hitting your box. blocking ip's at the router level is a better idea if this is what you want to prevent.

OK, then - are there any rules I can drop into IPChains (which is my firewall software) then to prevent things like PING floods or any other form of ICMP abuse?

I would suggest you to only allow 3 ping requests / minute from each ip... I currently have that setup, and it work very well for me.

I would suggest you to only allow 3 ping requests / minute from each ip...

OK - so how would I go about doing that? I'm pretty sure that isn't an IPChains thing....

Personally, I do not block ICMP on my servers. I see more harm than good by blocking it.

I'm interested in this as well.. can someone list the commands to run in order to set that in motion?

Originally posted by Kawshen
I would suggest you to only allow 3 ping requests / minute from each ip...

OK - so how would I go about doing that? I'm pretty sure that isn't an IPChains thing....

rate limit it and only allow certian types of icmp. I know you can specify icmp types in ipfw on freebsd but if your using red hat you have bigger problems then icmp attacks.

You can find a list of icmp types @
http://www.spirit.com/Resources/icmp.html