RE: Should or shouldn't block public ping to a website

["Martin O'Neal" <martin.oneal () corsaire com>]

> I think the point of a number of previous posters
> is that there ARE requirements for certain of the 
> ICMP subcodes in order for the Internet to work 
> properly - ICMP Do not fragment being one which 
> is required for Path MTU discovery, for example. 
> Stuff still works without it, but not as well as 
> it could with it allowed.
>
> Rogan

Hey chap!

ICMP is not universally a bad thing, however for the web server example
that started the thread:

There are some outbound ICMP messages that shouldn't be filtered,
because they genuinely make things work better (tm).

This is also true for a collection of inbound/outbound ICMP and the
last-hop router.

However, inbound ICMP to the web server itself? Not really. 

For the explicit example of packet size and PMTUD, I have personally
found that MSS tweaking is a more practical solution to the challenge
(at least until a better solution is ratified). In practice it works
well enough, and needs no more than the explicit TCP port to be exposed.
PMTUD, in comparison, is a poorly designed solution which leaves a site
open to potential attacks, such as those used in CAN-2004-1060.

Martin...





This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------