You don't have to block ICMP completely
January
03
, 2018
This is something that I typically see all over the place, security administrators blocking the ICMP (Ping) protocol completely. Normally I am ok with that, after all ping is a troubleshooting tool and in some cases not the best troubleshooting tool to rely on. However, it's when people think their network is more secure when they have blocked ICMP. The truth is you can actually allow the ICMP types that are required for troubleshooting purposes without compromising security. So let's first consider what ICMP messages we typically use for troubleshooting:
- Echo Request - ICMP Type 8 Code 0
- Echo Replies - ICMP Type 0 Code 0
- Time Exceeded - ICMP Type 11 Code 0
- Fragment needed but DF bit set - ICMP Type 3 Code 4
Now we all know the echo request is the icmp packet from the host to the target, and the echo reply is response from target back to the host. The time exceeded packet is returned to the host when performing a traceroute. The fragment needed but DF bit set packet is used for path MTU discovery and can used to troubleshoot MTU issues, it basically replies back telling you the packet was dropped because it needed to be fragment but the DF (Do not fragment) bit was set on the packet so it could not be fragmented.
One ICMP parameter that should be blocked are ICMP fragments, fragmented ICMP packets can be used to cause DoS attacks. Remember ICMP packets typically send 64 bytes of data, so you should only see larger ICMP packets or expect fragments when testing MTU. (Other then that I can't think of any other legit reason to see large ICMP packets).
RFC 1858 goes pretty in depth concerning the danger of IP Fragments, it's definitely worth a read.
Now here is a configuration snippet that accomplishes everything I discussed here:
TERMINAL
- Router#sh run | include access-list 150
- access-list 150 remark ICMP ACL
- access-list 150 remark Block fragmented ICMP packets
- access-list 150 deny ICMP any any fragments
- access-list 150 remark Permit troubleshooting ICMP types
- access-list 150 permit icmp any any acho
- access-list 150 permit icmp any any acho-reply
- access-list 150 permit icmp any any time-exceeded
- access-list 150 permit icmp any any packet-too-big
- access-list 150 remark Deny any other ICMP messages
- access-list 150 deny icmp any any
- access-list 150 remark Allow Other Traffic
- access-list 150 permit ip any any
Now if you want to learn about ICMP in greater detail check out
RFC 792.