Why block outbound ICMP?

Question

This question is slightly related to "Why Block Port 22 Outbound?". I don't see how this can be a notable security risk.

Blocking outbound ICMP will block trace route etc., so it will impede network diagnostics. — Richard, Aug 19 '09 at 09:49

score 8 · Answer 1 · answered Aug 19 '09 at 02:36

Security is frequently thought about in a "blacklist everything, whitelist whats needed" context, aft to a tinfoil hat level of limiting outbound connections until someone complains. While its easy to ask "why block" .. a security expert will ask "why do you need" ... This is why a corporate network is very restrictive (blacklist first) vs a standard home network (whitelist everything outgoing).

A machine on your network running on a botnet providing bandwidth for ICMP PING saturation of a host is one realistic scenario.

score 7 · Accepted Answer · edited Sep 20 '12 at 13:48

7

Blocking ICMP outbound and ALL other connections from your environment is a good start for building your firewall/security policy.

But there are a lot of things that you should know before hand and take into account. A good example is when blocking all ICMP packets while allowing some other protocols such as tcp port 80 (http) could lead to problems with MTU/PMTU. If you have a network connection that uses an encapsulation such as pppoe, GRE, or one of the many others you WILL run into a large number of hard to identify MTU issues.

Good area to start reading is:

edited Sep 20 '12 at 13:48

Michael Hampton

237,123
42
477
940

answered Aug 19 '09 at 04:15

Jeremy Rossi

742
3
4

+1 for mentioning Path MTU Discovery. – James Sneeringer Aug 19 '09 at 04:25
4

This ignores answering the real question ("why?") by simply stating that it's "a good start". Furthermore, linked "IMCP stands for trouble" is 404-ing, so that's of no use. – ironsam Feb 23 '12 at 18:28

score 4 · Answer 3 · answered Sep 20 '12 at 13:11

These icmp dos attacks were useful 10 years ago. Nobody will use them now and this is stupid thing to filter all icmp packets. Books that suggest to block all icmp packets are 1) written by stupid people or 2) written by people to make your network hard for diagnostics and to make you call a company that will fix it for you :)

even icmp redirect messages are not harmful if you have only static routes...

so please don't advise people to disable the main diagnostic protocol of the internet

score 3 · Answer 4 · answered Aug 19 '09 at 03:34

3

I think this is not a big deal but this can be considered as a practice used in "default deny policy" used in systems administration. The reason for blocking ICMP would be avoiding ICMP DOS attacks against another host. (To be ethical)

ICMP Attacks

Cisco Vulnerable to ICMP DoS

answered Aug 19 '09 at 03:34

Chathuranga Chandrasekara

1,063
1
11
16

+1 ICMP DOS attacks were a big deal not too long ago. – Doug Luxem Aug 19 '09 at 03:36
2

-1: Singling out ICMP here is not the correct method. TCP/UDP/ICMP and all the others IP Protocols (http://www.iana.org/assignments/protocol-numbers/) can be used to create DoS attacks under the right conditions. What is really needed is correct filtering of acceptable packets for environment. – Jeremy Rossi Aug 19 '09 at 04:24
+1 to even out inappropriate -1. – SirStan Aug 19 '09 at 04:28
2

How ethical is it to ignore one of the core diagnostic protocols of the internet? ICMP is not the only internet protocol subject to abuse via DOS and other attacks (hint: they all are). google.com responds even opens up *inbound* ICMP for a reason: to support a core protocol and allow diagnostics. – ironsam Feb 23 '12 at 18:41
ICMP attacks page seems to be down, link to the web archive: https://web.archive.org/web/20131005054532/http://www.javvin.com/networksecurity/ICMPAttacks.html – Roland Pihlakas Aug 25 '20 at 04:00

squillman · Answer 5 · 2009-08-19T02:46:59.877

2

It's possible, for example, for a malicious piece of software on a compromised system to send messages "back home" via fake echo replies. This could give the remote listening system quite a bit of information that you don't necessarily want it to have, one little piece at a time. Anything the malware has access to could go right out the pipe.

edited Aug 19 '09 at 02:46

answered Aug 19 '09 at 02:25

squillman

37,618
10
90
145

In which case one needs to focus on removing the malware rather on the data it sends. – Richard Aug 19 '09 at 09:48
1

In which case one needs to ALSO focus on removing the malware.... – squillman Aug 19 '09 at 11:14

score 2 · Answer 6 · answered Aug 19 '09 at 04:21

2

Another reason to block outbound ICMP is to (attempt to) foil port scanners. Many firewalls will silently drop inbound packets denied by security policy (usually an ACL). However, if a packet is allowed through, and the destination application itself isn't running, most servers will return an ICMP Unreachable packet of some type. This difference in behavior for an unavailable port can give an attacker valuable insight into your network.

answered Aug 19 '09 at 04:21

James Sneeringer

6,755
23
27

Security by Obscurity? – habakuk Jul 20 '12 at 09:08
1

Obscurity is a poor security mechanism by itself, but it can be quite useful as part of a broader security strategy. – James Sneeringer Jul 23 '12 at 13:45

Why block outbound ICMP?

6 Answers6