<div dir="ltr">Follow up question:<div><br></div><div>ICMP can be used for DoS. Cool.<div><br></div><div>How does google battle with that? All google services are ping'able (which is very cool obviously).</div><div><br>
</div><div>How do they protect against the attack?, surly there are enough script kiddies that constantly try to DoS Google.</div><div><br></div><div><br><br><div class="gmail_quote">2010/10/19 shimi <span dir="ltr"><<a href="mailto:linux-il@shimi.net">linux-il@shimi.net</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div dir="ltr">See inline,<br><br><div class="gmail_quote"><div class="im">On Tue, Oct 19, 2010 at 7:23 PM, Ron Varburg <span dir="ltr"><<a href="mailto:linux-il@hotmail.com" target="_blank">linux-il@hotmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">
<br>
<br>
A Hosting service is blocking pings from the Internet to the hosted servers.<br>
It is possible to ping from the hosted servers to anywhere on the Internet,<br>
assuming that the packets are not dropped somewhere else, ofcourse.<br>
1. Why would the hosting service bother with such a blockage?<br></blockquote></div><div><br>Mitigating some of a Denial Of Service attack. If a machine replies to ICMP Echo DoS attack, it doubles the amount of traffic it has to handle. Since blocking ICMP Echo has no actual effect on any other thing beside of checking if a machine is alive, they believe the benefit of not "participating" in a DoS attack outweights the lack of ability to ping-test the machine. (not to mention that it may be filtering just *some* of the ICMP Echo packets, and may be responding to ICMP Echo if sent from a limited set of IPs (for example a monitoring machine and/or the sysadmin's IP pool...)<br>
</div><div class="im"><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">
2. Is it reasonable to assume that more ICMP packets are blocked?<br></blockquote></div><div><br>Yes, many people block ICMP alltogether, not realizing that ICMP Echo and ICMP Echo Reply are not the only type of ICMP messages, and just block any IP packet that has ICMP in it.<br>
<br></div><div class="im"><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">
3. What are the implications of such a blockage? In particular,<br>
assuming that each hop in a random path takes care to assure<br>
connectivity to any nearest hop, one might think that ICMP packets<br>
are not important and hardly used.<br><br></blockquote></div><div><br>The annoying ones: <br>PMTU[1] breaks. If any router / medium in the middle cannot support the client/server MTU (typically - 1500), and a packet with the DF[2] flag is sent, it will be dropped "silently" and the sender wouldn't know, and re-transmit the packet until the connection times out and dies.<br>
<br>The less annoying but non-too-interfering:<br>If a router on the way filters the packet due to some policy, or that some router on the way has a dead link for the next hop, no ICMP notifying that the host/net is unreachable will reach the client; Instead of immediately knowing that it can't connect (and with a pretty good explanation on "why"), the client would simply try to re-send a SYN packet over and over again, until it gets into "timeout" state.<br>
<br>Hope I didn't miss anything :)<br><br>HTH,<br><br>-- Shimi<br><br>[1] <a href="http://en.wikipedia.org/wiki/Path_MTU_Discovery" target="_blank">http://en.wikipedia.org/wiki/Path_MTU_Discovery</a><br></div></div>[2] Don't Fragment. See <a href="http://en.wikipedia.org/wiki/IP_fragmentation" target="_blank">http://en.wikipedia.org/wiki/IP_fragmentation</a><br>
</div>
<br>_______________________________________________<br>
Linux-il mailing list<br>
<a href="mailto:Linux-il@cs.huji.ac.il">Linux-il@cs.huji.ac.il</a><br>
<a href="http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il" target="_blank">http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il</a><br>
<br></blockquote></div><br></div></div></div>