Knowledgebase: Novohit English
Enable PING ICMP Echo Protocol on Private Cloud Servers

The ICMP Echo protocol (usually known as "Ping") is mostly harmless. Its main security-related issues are:

  1. In the presence of requests with a fake source address ("spoofing"), they can make a target machine send relatively large packets to another host.
    Solution: Note that a Ping response is not substantially larger than the corresponding request, so there is no multiplier effect there: it will not give extra power to the attacker in the context of a denial of service attack. It might protect the attacker against identification, though.

  2. Honored Ping request can yield information about the internal structure of a network.
    Solution: This is not relevant to publicly visible servers, though, since those are already publicly visible.

  3. There used to be security holes in some widespread TCP/IP implementations, where a malformed Ping request could crash a machine (the "ping of death").
    Solution: These were duly patched during the previous century, and are no longer a concern.

It is common practice to disable or block Ping on publicly visible servers -- but being common is not the same as being recommended. www.google.com responds to Ping requests; www.microsoft.com does not.

Novohit & hotelRSV strongly recommend and in some cases require letting all ICMP pass for publicly visible servers since we use PING to detect status of deployed instances of Novohit in order to guarantee services like updates, operative/tech support and data sync.

Some ICMP packet types MUST NOT be blocked, in particular the "destination unreachable" ICMP message, because blocking that one breaks path MTU discovery, symptoms being that DSL users (behind a PPPoE layer which restricts MTU to 1492 bytes) cannot access Web sites which block those packets (unless they use the Web proxy provided by their ISP).