Thursday, 18 July 2019

security - What are reasons to disallow ICMP on my server?


An EC2 Instance has ICMP services disabled by default. While it's not totally clear to me why, I think it's because it could be a potential security risk. At the moment I'm enabling Echo Responses only when I'm restarting the server so I can see if it's up and running, but once it came online I'm disabling it again. Is it necessary? What are reasons to disable ICMP in general?



Answer



ICMP consists of a large collection of commands. Disallowing all of those will break your network in strange ways.


ICMP allows things like "traceroute" and "ping" (ICMP echo request) to work. Thus that part is quite useful for normal diagnostics. It also is used for feedback when you run a DNS server (port unreachable) which, in a modern DNS server, may actually help select a different machine to query faster.


ICMP is used for path MTU discovery. Chances are your OS sets "DF" (do not fragment) on TCP packets it sends. It is expecting to get an ICMP "fragmentation required" packet back if something along the path fails to handle that size of packet. If you block all ICMP, your machine will have to use other fallback mechanisms, which basically use a timeout to detect a PMTU "black hole" and will never optimize correctly.


There are probably a few more good reason to enable most of ICMP.


Now as your question why to disable:


Reasons to disable part of ICMP are:



  • Protection from old style worms which used ICMP echo request (aka ping) to see if a host was alive before trying to attack it. These days, a modern worm tries it anyways, making that no longer effective.

  • Hiding your infrastructure. If you want to do this, then please block it at the edge of your network. Not on every single computer. That will just cause your admin to pull all the hair from his or her head in frustration when something goes wrong and all the normal analysis tools fail. (In this case: Amazon could block it at the edge of the cloud).

  • Denial of service attacks based on ICMP. Handle these the same as other DOS attacks: Rate limit.

  • The only valid one: If you are on an unsafe network, you might want to block or disable the router has changed command. Obfix: use your servers on a safe network.


Note that there are 'server hardening' manuals out there that advise to block ICMP. They are wrong (or at least not detailed enough). They fall in the same category as wireless 'security' via MAC filtering or hiding the SSID.


No comments:

Post a Comment

How can I VLOOKUP in multiple Excel documents?

I am trying to VLOOKUP reference data with around 400 seperate Excel files. Is it possible to do this in a quick way rather than doing it m...