Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
ICMP Echo Requests can be used as a primitive tool for mapping a network, but it only tells you if a host is up or not, not which services are running.
On systems with a seriously broken IP stack, a malformed ICMP packet can cause kernel panics/BSODs.
If broadcast pings are allowed through a router (no broadcast anything should be allowed through a router), a Smurf DoS attack is possible.
None of the scenarios above are specific to ICMP Echo Requests. Blocking ping packets does not improve security.
That only works if the IP stack on the receiving end is badly broken.
The so-called "Ping of Death" is nothing more than an exploit targeting a classic buffer overflow bug in some older IP stacks. No modern OS is affected by it.
A buffer overflow vulnerability could just as easily exist in the part of the IP stack handling TCP, or in any number of applications. The solution is not to block every protocol, but rather to evaluate the usefulness and risks associated with each protocol. There are currently no risks associated with allowing ICMP Echo Requests, and on the other hand "ping" is a useful diagnostic tool.
Quote:
Originally Posted by ilesterg
How about IP spoofing?
IP spoofing works regardless of protocol, and is not really a security issue in and by itself.
The only way to deal with IP spoofing is to do egress filtering as the ISP level.
Lot of companies around the world seem to have in their IT policy that systems are not allowed to ping requests.
If this topic is discussed with the IT security guys I sometimes received unofficial statements that this came from the non-techy management and was backed up with something like "With ping you can find out there is a box. If you didn't know there was one you couldn't attack it".
Technically this is crap, any box in a network can be found as long as it is doing something. Only a box without cables/network connection if 100% save. If a box is communicating to a network it may always be a target for attacks, doesn't matter if it replies to ICMP or not.
Disabling ICMP makes it only harder to manage networks as long as there isn't something setup providing similar functionality.
But... if that's yout company's policy you are unlikely to change it unless you are the CIO...
Of course it does. Just like a TCP SYN flood, or ACK flood, or a UDP packet flood, or basically any type of packet flooding regardless of protool. Bandwidth throttling is recommended, but if someone manages to fill the entire pipe with rubbish (which is trivially easy for botnet operators), neither throttling nor firewall settings will be of any help.
If the choice is between letting nothing through or letting nothing except ICMP Echo Requests through, then blocking ICMP Echo Requests may have some marginal value. As long as you're allowing any inbound traffic at all, blocking pings won't make any difference in preventing DoS attacks.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
I meant more that it's just another thing you don't need rules for. Block ICMP and use CPU cycles for connection-based firewalling of other protocols? I'll admit though my networking knowledge isn't the best so I'm just thinking out loud here.
One of the task of firewalling is to prevent threats unknown at present time. Currently there is no risk, but nobody can guarantee this for future. Crackers are smart people and will utilize all available "things" to compromise the securities. One more security step can save in case of discovering new vulnerability in deeper levels. In my opinion only services, protocols, resources that are needed/used should be exposed outside. All others should be blocked. And ping is a utility for administrators, I do not see a reason to some worker ping any company computer from home even if he is allowed to connect to it for example by ssh.
One of the task of firewalling is to prevent threats unknown at present time. Currently there is no risk, but nobody can guarantee this for future. Crackers are smart people and will utilize all available "things" to compromise the securities. One more security step can save in case of discovering new vulnerability in deeper levels. In my opinion only services, protocols, resources that are needed/used should be exposed outside. All others should be blocked. And ping is a utility for administrators, I do not see a reason to some worker ping any company computer from home even if he is allowed to connect to it for example by ssh.
I would agree that the "implicit deny" principle is the appropriate approach for most environments.
The OP indicated that he needed to use the ping utility, and hence there seemed to be a genuine use case for ICMP Echo Requests in that particular network. He then asked if allowing ICMP has any security implications, and currently the answer to that question is "no".
One could argue that there might be unknown security vulnerabilities related to the ICMP protocol in the IP stack of some operating systems, and that allowing ICMP Echo Request might then make it possible for an attacker to exploit such a vulnerability should one ever be discovered. While that is technically true, the same can be said about any protocol.
ICMP Echo Requests are very simple beasts, and vulnerabilities related to the handling of "ping" packets in the IP stack are much less likely to exist than vulnerabilities in, say, the TCP code, not to mention vulnerabilities due to bugs in complex application software like web servers.
If someone has a genuine need to send ICMP Echo Requests, I see very few valid reasons not to allow them through the firewall. If you're concerned about flooding or unapproved tunnels, throttle them or limit the maximum packet size.
Just to add to Ser Olmy's post:
There are possibilities to mis-use ICMP, e.g. HTTP over ICMP, but that's true for other protocols as well, e.g. DNS. Would you not allow DNS in your network only because there is the potential for things like this? And by the way the attacker would need to have access to both ends of such a tunnel anyway before it can be brought up, I doubt that the needed software will be implemented and running on your production systems by default.
Last edited by dt64; 09-08-2013 at 05:43 AM.
Reason: Typo
But you talking about known technics of breaking security (errors in IP stack, etc.). I talk about currently unknown. For example, if anybody could have expect some time ago that cryptographic keys can be discovered by measuring time of response packets? Maybe I have too much imagination, but I didn't. I mean that now we cannot imagine risk of allowing something looking as safe, but hackers have a much more imaginative than usual people or network administrator.
As other than ICMP protocols offer more opportunities for hackers, I don't see any reason to facilitate their job. It is a matter of choice between security and needs or comfort. About not allowing exemplary DNS, answer is yes - if it not needed in my network or outside, yes. Usually hackers exploits few holes to get into system, one to break encryption or guess password, other to trick firewall, another to increase privilages, one more to escape from jail, etc. Not just one and voilà, he is inside. All known and unknown minor bugs or lowered securities can decide that your system will be hacked... or not, because one last sentry of insignificant component will block intruder.
Thanks to all for their answers, I'm a little smarter now. It isn't as simple an issue as I'd thought, but I suppose nothing IT related rarely ever is.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.