First page Back Continue Last page Summary Graphics
Problems with ICMP
Ping
- Don't allow incoming Echo Requests to broadcast addresses
- Consider blocking or limiting the source addresses you will accept incoming Echo Requests from.
Outgoing Destination Unreachable provides useful information to port scanners.
- Fragmentation Needed is the one ICMP 3 subtype needed for normal operation.
Do not allow Redirect except from or to your adjacent routers.
Traceroute
- Generates Time Exceeded messages from intermediate routers, and ICMP 3 Port Unavailable from the destination host.
- Consider blocking or limiting the source addresses you will accept incoming traceroute requests from.
Most ICMP messages are meant to communicate between adjacent routers. Consider blocking or limiting the source addresses you will accept most ICMP messages from.
Notes: