Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Disabling ICMP

Posted on 2014-03-18
4
Medium Priority
?
507 Views
Last Modified: 2014-05-07
Would like to know if disabling ICMP across all devices in network is a worth while exercise
0
Comment
Question by:IT Department
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 18

Accepted Solution

by:
Akinsd earned 1500 total points
ID: 39937345
It could be but impact depends on network needs.

You can't disable it perse but can block the traffic.
Be aware that pings, traceroutes etc would not work if ICMP (Internet Control Message Protocol) traffic is block across the network.

See the following from Wikipedia
http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol


Control messages[edit]

Notable control messages[4][5]


Type

Code

Description

0 – Echo Reply[3]:14 0 Echo reply (used to ping)
1 and 2  Reserved
3 – Destination Unreachable[3]:4 0 Destination network unreachable
1 Destination host unreachable
2 Destination protocol unreachable
3 Destination port unreachable
4 Fragmentation required, and DF flag set
5 Source route failed
6 Destination network unknown
7 Destination host unknown
8 Source host isolated
9 Network administratively prohibited
10 Host administratively prohibited
11 Network unreachable for TOS
12 Host unreachable for TOS
13 Communication administratively prohibited
14 Host Precedence Violation
15 Precedence cutoff in effect
4 – Source Quench 0 Source quench (congestion control)
5 – Redirect Message 0 Redirect Datagram for the Network
1 Redirect Datagram for the Host
2 Redirect Datagram for the TOS & network
3 Redirect Datagram for the TOS & host
6  Alternate Host Address
7  Reserved
8 – Echo Request 0 Echo request (used to ping)
9 – Router Advertisement 0 Router Advertisement
10 – Router Solicitation 0 Router discovery/selection/solicitation
11 – Time Exceeded[3]:6 0 TTL expired in transit
1 Fragment reassembly time exceeded
12 – Parameter Problem: Bad IP header 0 Pointer indicates the error
1 Missing a required option
2 Bad length
13 – Timestamp 0 Timestamp
14 – Timestamp Reply 0 Timestamp reply
15 – Information Request 0 Information Request
16 – Information Reply 0 Information Reply
17 – Address Mask Request 0 Address Mask Request
18 – Address Mask Reply 0 Address Mask Reply
19  Reserved for security
20 through 29  Reserved for robustness experiment
30 – Traceroute 0 Information Request
31  Datagram Conversion Error
32  Mobile Host Redirect
33  Where-Are-You (originally meant for IPv6)
34  Here-I-Am (originally meant for IPv6)
35  Mobile Registration Request
36  Mobile Registration Reply
37  Domain Name Request
38  Domain Name Reply
39  SKIP Algorithm Discovery Protocol, Simple Key-Management for Internet Protocol
40  Photuris, Security failures
41  ICMP for experimental mobility protocols such as Seamoby [RFC4065]
42 through 255  Reserved
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39937392
What would be the purpose of disabling it?
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 39937413
Great question.

It could be but impact depends on network needs.

Means you don't want any of the listed traffic to traverse your network. In as much as this is rarely implemented globally on a network, it is still an option if any engineer wants to pursue that.

Common practice is to block icmp traffic on public interfaces or sensitive devices to prevent replies to untrusted requesters.
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 39938503
Just blocking all ICMP is becoming a bad practice, as for IPv4 you're just making debugging (and hence hacking) problematic, but IPv6 operation depends on ICMP a great deal.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question