Is it a bad idea for a firewall to block ICMP?
This question was inspired by this answer which states in part:
The generic firewall manifest file finishes off by dropping everything I didn't otherwise allow (besides ICMP. Don't turn off ICMP).
But, is it truly a good practice for a firewall to allow ICMP? What are the security implications, and are there cases where ICMP should be turned off?
I'm sure there are plenty of other reasons, but for one - it makes remote administration a nightmare.
It's one of those "Unless you're a networking god and really know what you're doing, don't mess with it" sort of things.
RFC 4890 : http://www.ietf.org/rfc/rfc4890.txt and this draft RFC: https://datatracker.ietf.org/doc/draft-ietf-opsec-icmp-filtering/history/ ... both provide detailed advice on how to filter both ICMPv4 and ICMPv6 packets.
I blocked all incoming traffic of my local network with iptables to avoid unauthorized access to services running on my computer. However sometimes I noticed logging in to websites like GitHub was freezing (e.g. the first log in on a clean Firefox profile). Wireshark displayed ICMP packets with the message "Destination unreacheable (Fragmentation needed)". It looks like the problem came from my firewall rules blocking ICMP which was needed by the router because it was fixed when allowing ICMP.
Compared to other IP protocols ICMP is fairly small, but it does serve a large number of disparate functions. At its core ICMP was designed as the debugging, troubleshooting, and error reporting mechanism for IP. This makes it insanely valuable so a lot of thought needs to into shutting it down. It would be a bit like tacking
>/dev/null 2>&1to the end of all your cron entries.
Most of the time when I talk to people about blocking ICMP they're really talking about ping and traceroute. This translates into 3 types
- 0 - Echo Reply (ping response)
- 8 - Echo Request (ping request)
- 11 - Time Exceeded
That's 3 types out of 16. Let's look at a couple of the other ICMP type that are available.
- 4 - Source Quench (send by a router to ask a host to slow down its transmissions)
- 3 - Destination Unreachable (consists of 16 different kinds of messages ranging from reporting a fragmentation problem up to a firewall reporting that a port is closed)
Both of which can be invaluable for keeping non-malicious hosts operating properly on a network. In fact there are two (probably more but these are the most obvious to me) very good cases where you don't want to restrict ICMP.
- Path MTU Discovery - We use a combination of the Don't Fragment flag and type 3 code 4 (Destination Unreachable - Fragmentation required, and DF flag set) to determine the smallest MTU on the path between the hosts. This way we avoid fragmentation during the transmission.
- Active Directory requires clients ping the domain controllers in order to pull down GPOs. They use ping to determine the "closest" controller and if none respond, then it is assumed that none are close enough. So the policy update doesn't happen.
That's not to say that we should necessarily leave everything open for all the world to see. Reconnaissance is possible with ICMP and that is generally the reason given for blocking. One can use pings to determine if a host is actually on, or Time Exceededs (as part of a traceroute) to map out network architectures, or Rory forbid a Redirect (type 5 code 0) to change the default route of a host.
Given all that, my advice is, as always, take a measured and thoughtful approach to your protections. Blocking ICMP in its entirety is probably not the best idea, but picking and choosing what you block and to/from where probably will get you what you want.
small detail: While ICMP is optional in IPv4, it is required by IPv6 to operate normally. The role of ICMP has changed a lot. Lightweight read about it: http://blogs.cisco.com/security/icmp-and-security-in-ipv6/
@Mike Oh sure, I guess I wasn't clear but I was specifically talking about v4. IPv6 is a different enough beast that we really need to treat it as completely different protocol when designing and protecting v6 networks.
@tylerl: I laughed writing it too. Granted I had had some wine and it was 1.5 hours past my bedtime.
Source Quench has been formally deprecated (RFC 6633). And has hardly ever been seen on the Internet for decades.
ICMP Redirect is also pretty well abandoned as well, but it happens sometimes. It makes for a good example of how wife the users of ICMP are. The linked RFC is interesting, but also very new. I would expect a very large number of network stacks in use haven't been updated since that was released.
RFC 5927 section 6.2 notes that Source Quench has been removed from many operating systems since 2005 or before, based on its uselessness for congestion control and its potential to be used for a blind throughput-reduction attack.
FYI: Don't block ping requests on IPv6 as its used for incoming connection from people still on IPv4 networks using teredo to access the IPv6 network
The Cisco document from @Mike's comment is archived at https://web.archive.org/web/20190907224403/https://blogs.cisco.com/security/icmp-and-security-in-ipv6
ICMP exists for a reason, and not all of that reason is
ping. It's the "meta" protocol that is used to communicate control messages about the network itself. Have a look at ICMP on Wikipedia to get a better idea of what it is and what it's for.
Other ICMP messages also include destination host unreachable, fragmentation required, congestion control, TTL exceeded, IP protocol errors, and an number of others.
The network will operate without ICMP--resilience in the face of packet drops is one of IP's core strengths--but it will operate more slowly, less efficiently, and without the benefit of these signals to help you diagnose and solve problems.
Security issues with ICMP tend to be the more nebulous "information disclosure" issues. E.g. If your router sends an ICMP message back to someone, then that someone knows you have a router. Maybe the attacker knowing you have a router is something you're worried about, or more likely it's not. But security research tends to err on the side of silence just to be on the safe side, just in case.
Occasionally there's an ICMP related "ping of death" style vulnerability in an OS. Currently none exist in any mainstream OSes. But once again, security advocates err on the side of caution, just in case.
You're wrong, but i agree with you saying regular users/administrators should not block ICMP. There are multiple critical security concerns with ICMP. The main problem is having a control-level feedback (ttl-exceeded) that is not only sent by the destination, but by intermediate hops too.It can be used for device fingerprinting based on characteristics (initial TTL, IP flags and more importantly IP ID) of the ICMP message. Moreover, ICMP messages can also be a feedback for firewall traversing, and combined with TCP window-checking firewalls you can perform sequence number inference attacks.
To be honest it is smart to filter some outbound ICMP both router level and software firewall level as a extra layer of security.
It my not be pertinent to stopping a DoS or DDoS but malicious people still use ICMP to try and retrieve as much information about a network as possible before they attempt to breach it.
I am not saying they ONLY use ICMP but that is one of the few packet types they use and depending on if you have you're flood gates open they can gain a great detail of information in very little time.
Take some time to google and look up information about how NMAP and a few other programs utilize ICMP as one of the resources to gathering information then base your filters off of what you feel is necessary to protect yourself and your network.
If at all possible set up a internal test network (I personally bought a secondary wifi router a cheap one and have a secondary pc as a firewall to test all of my router/ipchains/software firewalls settings before I employ them across my main network for my household and any customer that hires me to secure their networks.
I highly encourage people to try and do some research on port scanning and how to breach firewalls on their own network so that they can better protect themselves and any family they are helping.
Here is a couple of resources I have used and referred friends to prior. Sans Information Security How ICMP is used for Reconnaissance
Some of the attacks are no longer viable but there are newer forms of Smurf that work still because of how the programmer was able to re code the original attack and change how it works and uses resources.
Dig around and google is your friend along with Stack Exchange and also duckduckgo search engine is wonderful for resources that google might filter out just be cautious and use your wits!
I have been a pc tech for 22 years and a network security specialist for 10 I am currently in chool for my ECH and my CPTS and I am looking at Offensive Security courses when I finish these.
Hope this helps and others find this information useful as I restore backups I made to this system and I find my other links and resources on this matter I will update this answer.
Blocking ICMP is not only useless but most cases it is also harmful. There is several reason why you should not block ICMP if you are not absolute sure what you are doing and specially why you are doing. Yes icmp ping can help others to "profile" your network. But lets be honest, if you have any tcp service open at all you will be seen. If you just drop packets you will be seen. If you response wrong way you will be seen. So if you believe theory that you must hide our important servers at network because it make them more secure, then when you block your icmp it is more possible that your host is even more bright target. There is just tons of ways to do it wrong so that you break mtu path discovery, congestion control etc and even make your server to stand out from mass. So in the nut cell, do not block your icmp if you do not have really good reason for doing it and then do it with care and read icmp protocol specs so that you understand what and why you are doing what you are. Yes, it can be good idea to block icmp redirect at edge of your net if you are not sure do you have old kernels. But another hand it is just better to update your servers and other hosts (fix real problems) than hide them under carpet where someone will find your bugs anyway.
As you can see from the protocol structure, it all depends on the area in which it is used and since firewalls are able to act on type and code parameters, you can decide what to pass through the firewall and what not. Clearly, if the firewall receives the ICMP Echo request and you have no problem letting it know if the destination host is active or not, the firewall must also be able to let an Echo Reply pass. But be careful: ICMP packets must be subjected to DPI, that is, they must be consistent with the specifications of the packet: If an ICMP packet passed through the incoming / outgoing firewall and there was malware on one or more hosts inside your network, those hosts could acquire commands from a C&C server and exfiltrate information to that server. In general, I don't think it's wise to use it on border routers, but for internal network diagnostics, yes.