Blocking Icmp Requests

[rishi]

Hi,

I'm sort of in the process of educating myself into the technical details of networking and the related protocols. My books tell that ICMP means "Internet Control Message Protocol" and that tools such as 'ping' and 'traceroute' belong here under.... meaning that ICMP deals with the very basic parts of communication and connectivity.

Now, I have a rooter with built in firewall that logs any remote access attempt. The logs show a lot of these lines (3-4 per minute)

Remote access denied: ICMP(type:0, code:0) x.y.z.62 x.y.z.87 ACCESS BLOCKED

x.y.z.62 is labeled 'source' and x.y.z.87 (my fixed IP) is labeled 'destination'. xyz is the same in both IP's. For these particularly entries the only sources are x.y.z.62 and another x.y.z.53.

I sort of suspect these "attacks" aren't but some equipment at my ISP making noise, but there could be more to it? Could I miss out on some avaiable services, by not responding? What excactly is this ICMP(type:0, code:0)?

Just curious.

[astral]

My ISP pings me every few minutes to see if I am still there.

If there is no response my connection and map to an external IP address gets dropped.

That may be what is happening to you.

If you block these requests you may have trouble connecting.

No problem in trying, as long as you realise the implications and can set it back again, if required.

Remember, one change at a time, unless you are an expert.

[Simmo]

Type 0 are icmp echo requests. Basically the packets sent out from a command line ping. There are other types of icmp packets mostly used by routers to signal each other.

Full List here

Blocking them is fine, it's the default in Windows XP firewall with SP2 now. Really annoying when you're trying to troubleshoot a network.

Sounds like your ISP has some script that regulary checks customer connectivity with a ping, maybe for accounting or reporting purposes?

[tjo o tjim]

If it comes from x.y.z.62, I would assume it is another subscriber trying to ping your machine; if it was x.y.z.1 or x.y.a.b, it could be from the ISP. That other user could be manually doing it, have a virus/bot, etc.

Keep blocking it from your firewall, and only un-block it if you are trying to do diagnostics. (Just remember that you need to do that step when you have problems!)

The reason it is blocked is because some equipment is susceptible to a "ping-flood" attack, which could allow someone to take control of your router.

[giulio]

Type 0 are icmp echo requests. Basically the packets sent out from a command line ping. There are other types of icmp packets mostly used by routers to signal each other.

Full List here

Blocking them is fine, it's the default in Windows XP firewall with SP2 now. Really annoying when you're trying to troubleshoot a network.

Sounds like your ISP has some script that regulary checks customer connectivity with a ping, maybe for accounting or reporting purposes?

all firewall software block by default icmp requests incoming,and with nat in router can block icmp incoming wan to lan

so,it's right and must not giv any problem

with tot goldcyber,ji-net or tt et maxnet never problem,but i remember last year with true have a sort of problem

true try any few minutes to send you icmp packets

Edited June 19, 2006 by giulio

[Insight]

I've got all my ICMP packets blocked at my router. No problems when using True.

/edit - Forgot to mention I've got BitTorrent running 24/7, so I'm always looking active regardless.

Edited June 19, 2006 by Insight

[rishi]

Thanks,

Excellent info on this thread. I haven't noticed any kind of problem by having it blocked, neither. The rooter actually was provided and configured by my ISP - so I guess if they had some plans (and knew what they were doing) they'd have opened a passway.

The list of icmp-codes is handy.. I'd get very suspicious if someone requested the domain name and address mask of my local lan, which isn't supposed to provide public services.

[Lannig]

ICMP destination unreachable (type=3) is absolutely necessary to the proper operation of TCP connections.

Blocking it (incoming) breaks an essential mechanism called path MTU discovery. In most cases, the effect is the

apparent 'hanging' of TCP connections (half-loaded web page or blank browser with logo spinning forever)

with some sites or even some parts of a site.

It may just cause TCP connections to slow down (because the computer will fallback to a smaller MTU).

Blocking all ICMPs is a very common newbie network administrator mistake and unfortunately some of

the folks working at TOT/CAT etc. haven't figured it yet.

Note: this has nothing to do with blocking PINGs. They use a different ICMP type.

A sample page with the gory details:

http://www.netheaven.com/pmtu.html

Googling for "icmp filtering path mtu discovery" will give a gadzillion hits.

--Lannig

[h90]

ICMP destination unreachable (type=3) is absolutely necessary to the proper operation of TCP connections.

Blocking it (incoming) breaks an essential mechanism called path MTU discovery. In most cases, the effect is the

apparent 'hanging' of TCP connections (half-loaded web page or blank browser with logo spinning forever)

with some sites or even some parts of a site.

It may just cause TCP connections to slow down (because the computer will fallback to a smaller MTU).

Blocking all ICMPs is a very common newbie network administrator mistake and unfortunately some of

the folks working at TOT/CAT etc. haven't figured it yet.

Note: this has nothing to do with blocking PINGs. They use a different ICMP type.

A sample page with the gory details:

http://www.netheaven.com/pmtu.html

Googling for "icmp filtering path mtu discovery" will give a gadzillion hits.

--Lannig

"apparent 'hanging' of TCP connections (half-loaded web page or blank browser with logo spinning forever)

with some sites or even some parts of a site."

I thought thats the normal IPStar service