Solved

Disabling ICMP

Posted on 2014-03-18
4
472 Views
Last Modified: 2014-05-07
Would like to know if disabling ICMP across all devices in network is a worth while exercise
0
Comment
Question by:IT Department
  • 2
4 Comments
 
LVL 18

Accepted Solution

by:
Akinsd earned 500 total points
Comment Utility
It could be but impact depends on network needs.

You can't disable it perse but can block the traffic.
Be aware that pings, traceroutes etc would not work if ICMP (Internet Control Message Protocol) traffic is block across the network.

See the following from Wikipedia
http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol


Control messages[edit]

Notable control messages[4][5]


Type

Code

Description

0 – Echo Reply[3]:14 0 Echo reply (used to ping)
1 and 2  Reserved
3 – Destination Unreachable[3]:4 0 Destination network unreachable
1 Destination host unreachable
2 Destination protocol unreachable
3 Destination port unreachable
4 Fragmentation required, and DF flag set
5 Source route failed
6 Destination network unknown
7 Destination host unknown
8 Source host isolated
9 Network administratively prohibited
10 Host administratively prohibited
11 Network unreachable for TOS
12 Host unreachable for TOS
13 Communication administratively prohibited
14 Host Precedence Violation
15 Precedence cutoff in effect
4 – Source Quench 0 Source quench (congestion control)
5 – Redirect Message 0 Redirect Datagram for the Network
1 Redirect Datagram for the Host
2 Redirect Datagram for the TOS & network
3 Redirect Datagram for the TOS & host
6  Alternate Host Address
7  Reserved
8 – Echo Request 0 Echo request (used to ping)
9 – Router Advertisement 0 Router Advertisement
10 – Router Solicitation 0 Router discovery/selection/solicitation
11 – Time Exceeded[3]:6 0 TTL expired in transit
1 Fragment reassembly time exceeded
12 – Parameter Problem: Bad IP header 0 Pointer indicates the error
1 Missing a required option
2 Bad length
13 – Timestamp 0 Timestamp
14 – Timestamp Reply 0 Timestamp reply
15 – Information Request 0 Information Request
16 – Information Reply 0 Information Reply
17 – Address Mask Request 0 Address Mask Request
18 – Address Mask Reply 0 Address Mask Reply
19  Reserved for security
20 through 29  Reserved for robustness experiment
30 – Traceroute 0 Information Request
31  Datagram Conversion Error
32  Mobile Host Redirect
33  Where-Are-You (originally meant for IPv6)
34  Here-I-Am (originally meant for IPv6)
35  Mobile Registration Request
36  Mobile Registration Reply
37  Domain Name Request
38  Domain Name Reply
39  SKIP Algorithm Discovery Protocol, Simple Key-Management for Internet Protocol
40  Photuris, Security failures
41  ICMP for experimental mobility protocols such as Seamoby [RFC4065]
42 through 255  Reserved
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
What would be the purpose of disabling it?
0
 
LVL 18

Expert Comment

by:Akinsd
Comment Utility
Great question.

It could be but impact depends on network needs.

Means you don't want any of the listed traffic to traverse your network. In as much as this is rarely implemented globally on a network, it is still an option if any engineer wants to pursue that.

Common practice is to block icmp traffic on public interfaces or sensitive devices to prevent replies to untrusted requesters.
0
 
LVL 17

Expert Comment

by:TimotiSt
Comment Utility
Just blocking all ICMP is becoming a bad practice, as for IPv4 you're just making debugging (and hence hacking) problematic, but IPv6 operation depends on ICMP a great deal.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Create remote access home server 4 82
wifi not working 3 44
Allow X-Forwarded-For Headers to Site or No? 3 45
ost file to pst 10 49
The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now