<snip>
Also it is required to smack all network admins who shut down ICMP and
then wonder why server admins are cranky.
</snip>
Amen! Alleluia!
Someone, a long time ago, in the infancy of the internet, published
something that pings and whatnot can be used as part of a denial of
service attack. Maybe, in the hands of a completely incompetent network
admin. However I wish this was now banned from the list of "best
practices". As much as certain people despise the NRA you would have
thought they would have used that to do such an attack on nra.org. No
political comments please. I simply used them as an example of a prime
target.
Gee acknowledging ping is also considered a risk because doing so lets
people know they hit a valid target. <sarcasm> In that case you should
probably also block http, https, telnet (also used by email) and any other
form of internet communication. </sarcasm>
<snip>
There used to be security holes in some widespread TCP/IP implementations,
where a malformed Ping request could crash a machine (the "ping of
death"). But these were duly patched during the previous century, and are
no longer a concern.
...
It is common practice to disable or block Ping on publicly visible servers
-- but being common is not the same as being recommended. www.google.com
responds to Ping requests; www.microsoft.com does not. Personally, I would
recommend letting all ICMP pass for publicly visible servers.
Some ICMP packet types MUST NOT be blocked, in particular the "destination
unreachable" ICMP message, because blocking that one breaks path MTU
discovery,...
</snip>
https://security.stackexchange.com/questions/4440/security-risk-of-ping
<snip>
Ping has been considered a security risk because merely acknowledging a
host's presence turns it into a potential target. For these reasons, many
systems provide means to disable the reply,[7][11] despite the fact that
RFC 1122 mandates hosts to always send a reply.
</snip>
https://en.wikipedia.org/wiki/Ping_(networking_utility)
Rob Berendt
midrange.com
