Solved

Disabling ICMP

Posted on 2014-03-18
4
485 Views
Last Modified: 2014-05-07
Would like to know if disabling ICMP across all devices in network is a worth while exercise
0
Comment
Question by:IT Department
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 18

Accepted Solution

by:
Akinsd earned 500 total points
ID: 39937345
It could be but impact depends on network needs.

You can't disable it perse but can block the traffic.
Be aware that pings, traceroutes etc would not work if ICMP (Internet Control Message Protocol) traffic is block across the network.

See the following from Wikipedia
http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol


Control messages[edit]

Notable control messages[4][5]


Type

Code

Description

0 – Echo Reply[3]:14 0 Echo reply (used to ping)
1 and 2  Reserved
3 – Destination Unreachable[3]:4 0 Destination network unreachable
1 Destination host unreachable
2 Destination protocol unreachable
3 Destination port unreachable
4 Fragmentation required, and DF flag set
5 Source route failed
6 Destination network unknown
7 Destination host unknown
8 Source host isolated
9 Network administratively prohibited
10 Host administratively prohibited
11 Network unreachable for TOS
12 Host unreachable for TOS
13 Communication administratively prohibited
14 Host Precedence Violation
15 Precedence cutoff in effect
4 – Source Quench 0 Source quench (congestion control)
5 – Redirect Message 0 Redirect Datagram for the Network
1 Redirect Datagram for the Host
2 Redirect Datagram for the TOS & network
3 Redirect Datagram for the TOS & host
6  Alternate Host Address
7  Reserved
8 – Echo Request 0 Echo request (used to ping)
9 – Router Advertisement 0 Router Advertisement
10 – Router Solicitation 0 Router discovery/selection/solicitation
11 – Time Exceeded[3]:6 0 TTL expired in transit
1 Fragment reassembly time exceeded
12 – Parameter Problem: Bad IP header 0 Pointer indicates the error
1 Missing a required option
2 Bad length
13 – Timestamp 0 Timestamp
14 – Timestamp Reply 0 Timestamp reply
15 – Information Request 0 Information Request
16 – Information Reply 0 Information Reply
17 – Address Mask Request 0 Address Mask Request
18 – Address Mask Reply 0 Address Mask Reply
19  Reserved for security
20 through 29  Reserved for robustness experiment
30 – Traceroute 0 Information Request
31  Datagram Conversion Error
32  Mobile Host Redirect
33  Where-Are-You (originally meant for IPv6)
34  Here-I-Am (originally meant for IPv6)
35  Mobile Registration Request
36  Mobile Registration Reply
37  Domain Name Request
38  Domain Name Reply
39  SKIP Algorithm Discovery Protocol, Simple Key-Management for Internet Protocol
40  Photuris, Security failures
41  ICMP for experimental mobility protocols such as Seamoby [RFC4065]
42 through 255  Reserved
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39937392
What would be the purpose of disabling it?
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 39937413
Great question.

It could be but impact depends on network needs.

Means you don't want any of the listed traffic to traverse your network. In as much as this is rarely implemented globally on a network, it is still an option if any engineer wants to pursue that.

Common practice is to block icmp traffic on public interfaces or sensitive devices to prevent replies to untrusted requesters.
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 39938503
Just blocking all ICMP is becoming a bad practice, as for IPv4 you're just making debugging (and hence hacking) problematic, but IPv6 operation depends on ICMP a great deal.
0

Featured Post

Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question