Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Is there a reason why I should not block ICMP?

[Wolfy]

Over the last week or so, I've noticed a fairly large number of 'script/worm/hack' attempts on our Windows 2000 test server. The server is patched & protected, so the attempts do no damage, but they are something that I'm happy to do without.

After blocking all ICMP traffic, these attempts have almost stopped. So blocking ICMP would seem to be a good counter-measure, but I was wondering if there is any reason why blocking ICMP is not a good idea?

It did stress our hosting-provider for a few days, because I did not think to tell them that I'd blocked ICMP, and their 'monitoring system' continued to report that our server was down. They now monitor port 80. :p
I've also allowed ICMP only for my IP, and the IP's of our other servers, so we can test-ping the machine with no problems.

After the well-publicised DOS attacks on MS, Yahoo etc, I notice that many high profile websites do not reply to ping's - maybe they have done something similar?

[RackMy.com]

It's really not a bad idea to block all ICMP traffic, but it can be a little difficult to diagnose problems if they come-up.

Just out of curiosity, how are you blocking ICMP traffic on your W2K box?

[Wolfy]

I used IPSec Policies. A little bit tedious to setup, but I can copy/export it to other W2k servers now.

But it's even useful to ‘blacklist’ any IP’s that I don’t like the look of.

Set rules to keep the major ports open - deny anything else - block ICMP. As long as I've got access to the box it's about 3 or 4 mouse clicks to remove the policy, if you’re troubleshooting.

Mind you, there were some very nervous moments when I first used the policy remotely. When testing on my machine here, I managed to block all network access, and that’s not something I'd want to do to a machine that is 1/2 a world away. :p

[cperciva]

*sigh*

Block echo packets if you must, but don't block all ICMP packets: At very least, you should allow type 3 code 4 (can't fragment) packets through. Blocking those will break path MTU discovery.

[Wolfy]

Thanks cperciva, I knew someone would come up with a reason why it was not such a good idea ... hence my question.

Unfortunatly it seems to be 'block all ICMP' or 'allow all ICMP' are the only choices ... oh well ... maybe I'll have to invest in some razor-wire or another method of keeping the 'baddies' out.

[edit] At least now I know what to Google for:
http://www.onlamp.com/pub/a/bsd/2001...SD_Basics.html
[/edit]

[RackMy.com]

Quote:

Block echo packets if you must, but don't block all ICMP packets: At very least, you should allow type 3 code 4 (can't fragment) packets through. Blocking those will break path MTU discovery.

We block all ICMP traffic on most of our sensitive servers and have never had any problems at all. While I have had heard of this problem, I have yet to experience it with W2K. (you can read up on filtering ICMP @ http://www.worldgate.com/~marcs/mtu/)

Oh yeah, wolfy you cannot select which type of ICMP traffic in IPSec policies. It's all or nothing

[cperciva]

Quote:

Originally posted by RackMy.com
We block all ICMP traffic on most of our sensitive servers and have never had any problems at all.

*Most* of the internet works on 1500 byte IP packets now. But there are still a few places -- satellite linkes come to mind -- where you'll see smaller MTUs.

The problem with breaking MTU discovery is that your packets will end up being dropped without any trace; in that respect it appears as if the remote server is simply unavailable.

The fact that you haven't *noticed* PMTU-related problems doesn't mean that there weren't any.

[RackMy.com]

I hear ya but really, how much of the net does not use 1500 byte IP packets.

Which ones would you say to leave available?

[paddimac]

It s a good way to protect your server from DOS attacks, but makes it a little difficult to solve issues.

[bitserve]

I have to agree with cperciva. You don't want to block all ICMP. I block echo requests to some things like the name servers, but I can't see anything else as being a problem.

I'm curious to know what ICMP types are causing problems with your windows servers. Mind sharing?

[manmythlgnd]

Quote:

Originally posted by Wolfy
I used IPSec Policies. A little bit tedious to setup, but I can copy/export it to other W2k servers now.

But it's even useful to ‘blacklist’ any IP’s that I don’t like the look of.

Set rules to keep the major ports open - deny anything else - block ICMP. As long as I've got access to the box it's about 3 or 4 mouse clicks to remove the policy, if you’re troubleshooting.

Mind you, there were some very nervous moments when I first used the policy remotely. When testing on my machine here, I managed to block all network access, and that’s not something I'd want to do to a machine that is 1/2 a world away. :p

How does IPSec buy you anything? From working on VPN and security equipment every day for the past few years, I can tell you that IPSec is authentication, encryption and integrity services at the IP datagram layer. This has nothing to do with filtering but plenty to do with say, setting up a VPN.

[manmythlgnd]

Quote:

Originally posted by cperciva
*sigh*

Block echo packets if you must, but don't block all ICMP packets: At very least, you should allow type 3 code 4 (can't fragment) packets through. Blocking those will break path MTU discovery.

icmp echo is nice if you want to know if your servers are up. I would say filter based on source if you must at all.

[RackMy.com]

Quote:

This has nothing to do with filtering

With W2K, you can use IPSec policies to block certain ports and protocols. It can be used as a poor man's firewall, so yes it has everything to do with filtering

[manmythlgnd]

Quote:

Originally posted by RackMy.com
With W2K, you can use IPSec policies to block certain ports and protocols. It can be used as a poor man's firewall, so yes it has everything to do with filtering

I don't think you know what IPSec is... So here's a refresher:

From http://www.rsasecurity.com/rsalabs/faq/5-1-4.html:

5.1.4 What is IPSec?


The Internet Engineering Task Force (IETF)'s IP Security Protocol (IPSec) working group is defining a set of specifications for cryptographically-based authentication, integrity, and confidentiality services at the IP datagram layer. IPSec is intended to be the future standard for secure communications on the Internet, but is already the de facto standard. The IPSec group's results comprise a basis for interoperably secured host-to-host pipes, encapsulated tunnels, and Virtual Private Networks (VPNs), thus providing protection for client protocols residing above the IP layer.

The protocol formats for IPSec's Authentication Header (AH) and IP Encapsulating Security Payload (ESP) are independent of the cryptographic algorithm, although certain algorithm sets are specified as mandatory for support in the interest of interoperability. Similarly, multiple algorithms are supported for key management purposes (establishing session keys for traffic protection), within IPSec's IKE framework.

The home page of the working group is located at


http://www.ietf.org/html.charters/ipsec-charter.html.



This site contains links to relevant RFC documents and Internet-Drafts.


So, yeah, you can set policies... to restrict IPSec traffic (since it typically appears as just another interface in most sane network devices).

Again, I've worked on this stuff every day for the past 2-3 years, so I'm fairly certain I know what I'm talking about. Perhaps you are one-off in your terminology.

[Wolfy]

manmythlgnd, I don't want to split-hairs with you, but as RackMy.com mentioned with W2k you can use an IPSec policy as a 'poor mans firewall'.

The server in question is a test box and costs very little to host, where are no firewall facilities etc. provided. So I have just been looking for other options to increase the 'security' level on the machine.

The IPSec policy allows rules to be setup.
If incoming or outgoing packets match the rules, they will be dropped or permitted, according to the rules set. These rules are set under the "IP Security Policies" heading, and have the effect of either permitting or denying traffic to the machine.

While this may not be what IPSec was designed for, it works for blocking or permitting mostly any kind traffic based on a variety of rules.

But anyway ... the question I was wondering about has been answered.