PING and Security

Started by deanwebb, March 21, 2018, 01:59:29 PM

Previous topic - Next topic

deanwebb

PING is the first thing to be blocked in every security product demo and proof of concept.

It is also the first thing opened up on a firewall "just for testing purposes"... and is left open forever and ever and ever and ever and ever... :facepalm2:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

I've worked on both sides. where icmp is shut off, and where icmp is permitted everywhere throughout.  icmp is a good troubleshooting tool, life sucks without it, when trying to troubleshoot things.  I think back in the old days, it was more forbidden, these days more permissible, as long as one understands the protocol and the different type codes, and permit only those types that are necessary.   
:professorcat:

My Moral Fibers have been cut.

wintermute000

#2
Unless there is a ridiculous exploit, I've never heard of anyone compromised via allowing icmp-echo, icmp-echo-reply, icmp-unreachable frag-needed (OMG why the f--k are you blocking PMTUD) and time-exceeded.
All you're doing is denying the recon of what IP addresses exist (As if the default GW is not .1 or .254 LOL).
This is double true if you enforce any kind of control plane policing or ICMP rate limiting.
But having said that some of the more esoteric options can be used in exploits or DOS if your host stacks or router IPs are vulnerable (though most ot these are very old attacks, sec guys should ttell you more on waht exactly is relevant in 2018)

Blocking pings completely, completely bones operations staff and troubleshooting, and god help you if you mess with PMTUD esp. on internet facing segments.


Its also absolutely critical to the operation of IPv6 though strictly speaking that's ICMPv6...
https://tools.ietf.org/html/rfc4890

deanwebb

While we all know TCP and UDP ports to watch out for, I think there's generally less awareness about ICMP and it's either all or nothing with blocking it. We slam the lid down on the entire protocol or let it all fly because there aren't enough test questions on echo, reply, and other important control protocols.

Ping of doom was a thing back in the late 90s, but not so much if we're dealing with versions of Windows after NT4 and Windows 98.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

The biggest security issue with icmp, lies with the traceroute utility, give the ability for baddies to map the network. Well that, and letting the baddies know that some server is alive and targetable.
:professorcat:

My Moral Fibers have been cut.