WebApp Sec mailing list archives
RE: Should or shouldn't block public ping to a website
From: "Martin O'Neal" <martin.oneal () corsaire com>
Date: Wed, 14 Sep 2011 10:38:03 +0100
I think the point of a number of previous posters is that there ARE requirements for certain of the ICMP subcodes in order for the Internet to work properly - ICMP Do not fragment being one which is required for Path MTU discovery, for example. Stuff still works without it, but not as well as it could with it allowed. Rogan
Hey chap! ICMP is not universally a bad thing, however for the web server example that started the thread: There are some outbound ICMP messages that shouldn't be filtered, because they genuinely make things work better (tm). This is also true for a collection of inbound/outbound ICMP and the last-hop router. However, inbound ICMP to the web server itself? Not really. For the explicit example of packet size and PMTUD, I have personally found that MSS tweaking is a more practical solution to the challenge (at least until a better solution is ratified). In practice it works well enough, and needs no more than the explicit TCP port to be exposed. PMTUD, in comparison, is a poorly designed solution which leaves a site open to potential attacks, such as those used in CAN-2004-1060. Martin... This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Should or shouldn't block public ping to a website ShiYih Lye (Sep 09)
- Message not available
- Re: Should or shouldn't block public ping to a website ShiYih Lye (Sep 09)
- Re: Should or shouldn't block public ping to a website Andre Correa (Sep 11)
- Re: Should or shouldn't block public ping to a website John Hall (Sep 11)
- Re: Should or shouldn't block public ping to a website ShiYih Lye (Sep 09)
- Message not available
- Re: Should or shouldn't block public ping to a website MATHDATER (Sep 11)
- <Possible follow-ups>
- Re: Should or shouldn't block public ping to a website Sandeep Cheema (Sep 11)
- Re: Should or shouldn't block public ping to a website Clement Dupuis (Sep 12)
- RE: Should or shouldn't block public ping to a website Martin O'Neal (Sep 13)
- RE: Should or shouldn't block public ping to a website Martin O'Neal (Sep 14)