Mark_Andrews at isc.org
Fri Sep 29 23:04:20 UTC 2006
> In article <efi6t1$1hh7$1 at sf1.isc.org>,
> Mark Andrews <Mark_Andrews at isc.org> wrote:
> > > Ping is generally a bad connection test. It uses ICMP which most firewall
> > > wi
> > > ll
> > > block.
> > Any sane firewall will accept ICMP. TCP and UDP don't
> > operate correctly if you block ICMP.
> > The only problem with ICMP/ECHO was with directed broadcasts
> > and any router purchased in the last 10 years has support
> > for directed broadcasts off by default.
> With respect there was also the ping of death,
http://insecure.org/sploits/ping-o-death.html which is a IP
problem not a ICMP problem. You could do the same with UDP,
TCP or anything else carried on IP.
> and many net admins fear
> DDoS with ping so think they should block it.
You can DDoS with any traffic you let through. ICMP is
not special here. Filtering ICMP doesn't stop you being
As I said, blocking ICMP is irrational. It doesn't really
protect anything and it breaks TCP and UDP, both of which
depend in it for correct operation. It also hinders diagnosis
of network problems.
Similarly blocking UDP/TCP traffic just on from ports is
ISC Training! October 16-20, 2006, in the San Francisco Bay Area,
covering topics from DNS to DHCP. Email training at isc.org.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users