FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 01-23-2009, 04:41 PM
"Jacques B."
 
Default Ping and traceroute...

On 1/23/09, John Doe <jdmls@yahoo.com> wrote:
> Hi everybody,
>
> Right now, we are blocking pings and traceroutes to our website.
> But, in order for our members to test the connection when they are experiencing slow browsing, we are thinking about unblocking them...
> Are there still any security issues (flooding, etc...) in enabling them or is that an old problem fixed a long time ago?
>
> Thanks,
> JD

Can't help you on that specific question. However do you have the
luxury of having your members coming from a block of IPs so you could
open pings to that block only. Even if it included more than just
your members (i.e. all pings from a particular ISP or geographical
area) at least it would reduce your visibility thus reduce your
vulnerability should it be an issue.

Jacques B.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-23-2009, 04:52 PM
John R Pierce
 
Default Ping and traceroute...

John Doe wrote:
> Hi everybody,
>
> Right now, we are blocking pings and traceroutes to our website.
> But, in order for our members to test the connection when they are experiencing slow browsing, we are thinking about unblocking them...
> Are there still any security issues (flooding, etc...) in enabling them or is that an old problem fixed a long time ago?
>


a denial of service by ping flooding is going to swamp your connection
whether or not your server ignores them. if you're paranoid you can use
iptables to rate limit ICMP responses.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-23-2009, 04:54 PM
"Tony Placilla"
 
Default Ping and traceroute...

>>> On Fri, Jan 23, 2009 at 12:41 PM, in message
<a937d2190901230941v363570e3u4f64d942f847e2bb@mail .gmail.com>, "Jacques B."
<jjrboucher@gmail.com> wrote:
> On 1/23/09, John Doe <jdmls@yahoo.com> wrote:
>> Hi everybody,
>>
>> Right now, we are blocking pings and traceroutes to our website.
>> But, in order for our members to test the connection when they are
> experiencing slow browsing, we are thinking about unblocking them...
>> Are there still any security issues (flooding, etc...) in enabling them or
> is that an old problem fixed a long time ago?
>>
>> Thanks,
>> JD
>
> Can't help you on that specific question. However do you have the
> luxury of having your members coming from a block of IPs so you could
> open pings to that block only. Even if it included more than just
> your members (i.e. all pings from a particular ISP or geographical
> area) at least it would reduce your visibility thus reduce your
> vulnerability should it be an issue.
>
> Jacques B.

Blocking ping has always been a pet peeve of mine. Aside from violating RFC-1122 (3.2.2.6 Echo Request/Reply: RFC-792 Every host MUST implement an ICMP Echo server function that receives Echo Requests and sends corresponding Echo Replies.)

It provides *no* additional security & makes troubleshooting network issues that much more difficult.

this was on an ipfw list.

"Also, when blocking incoming ICMP requests and replies, please, please,
*please* take care to NOT block type 3 (destination unreachable) -
blocking 'need to fragment' packets (type 3, code 4) is a way to instant
gratification, if your idea of gratification is being a blackhole router
which breaks the Path MTU discovery for any poor soul who decides (or
simply has to) route through you, and for your own outgoing connections,
too.

Other useful ICMP types are 0 (echo/ping reply), 4 (source quench, for
throttling down (usually) TCP connections if some device further down
the path cannot handle the packet rate), 8 (echo/ping request), 30
(Windows traceroute), but you *could* block those without much harm to
the TCP/IP protocol stack, the only thing harmed would be functionality
- e.g. blocking types 0 and 8 would deprive you of pings, blocking type
30 would stop Windows traceroute from working, blocking type 4 would
mean that TCP connections going over a much slower link somewhere down
the line would be additionally slowed down by lots of retransmissions
instead of simply bringing down the packet rate. However, whatever you
block, please don't block type 3 code 4, and better not block any of the
type 3's "

my $0.02


Tony Placilla <aplacilla@jhu.edu>
Sr. UNIX Systems Administrator
The Sheridan Libraries
Johns Hopkins University
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-23-2009, 08:09 PM
Lanny Marcus
 
Default Ping and traceroute...

On Fri, Jan 23, 2009 at 12:16 PM, John Doe <jdmls@yahoo.com> wrote:
> Right now, we are blocking pings and traceroutes to our website.
> But, in order for our members to test the connection when they are experiencing slow browsing, we are thinking about unblocking them...
> Are there still any security issues (flooding, etc...) in enabling them or is that an old problem fixed a long time ago?

Our two web sites do permit ping. I like to ping them from time to
time, for various reasons. Both have dedicated IP addresses. The one
time one of our sites was attacked, years ago, was someone connecting
to the POP3 server every second. Nothing to do with ping or
traceroutes.

However, I do not permit our ADSL router at home to be pinged. For
security reasons, I think allowing it to be pinged just increases the
possibility someone might try to get in.

As a previous reply stated, it may be against the rules to turn it off
for your web site.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 11:31 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org