is icmp dangerous?

[carmatic]

i was trying to run tracert to see how bad my connection is to a particular site... but i end up with no packets all along the hops... so i messed around with my modem router and made it accept all icmp packets, and now i can tracert properly... then i tried to go to dslreport's 'tweak tester' which needs to ping my computer, and i had to allow icmp packets through windows firewall for that to work too

so i was wondering, why do the firewalls block icmp packets in the first place? is it ok for me to leave icmp packets open 24/7?

[The_Decryptor Veteran]

Ping allows you to see if the host is up, so it's an easy way to see if there's a computer at an IP address. Knowing there's a computer there means you can focus on breaking into it.

And ping of death and such.

Personally I leave ICMP alone, The firewall config is default but it's still pretty good by default (Only allow connections if it already has a relationship to my computer, so my PC has to start the communication)

[Budious]

ICMP packets are typically abused to launch denial of service (DoS) attacks. I would leave it closed. Block as many unnecessary ports as possible if you want to be secure.

[carmatic]

my modem has options for different types of icmp to pass... echo reply, unreachable, redirect and echo request

which is needed for stuff like tracert and path mtu discovery to work? my internet connection is kinda flaky and turning on pmtu discovery seems to have helped

[+BudMan MVC]

Home routers/firewalls block icmp by default because they do not pay attention to the RFC's and some people actually think it protects them from stuff or makes their machine harder to find :rolleyes:

Can bad stuff be done with certain aspects of ICMP -- sure, but it also is required for things to function correctly. If you want to correctly secure your network. Then block the bad aspects of ICMP, the parts you do not need, but allow the required portions and the stuff you want to use. ICMP is a lot more then ping ;)

Blocking type 3 icmp can cause all kinds of connectivity issues. These are you destination not reachable, and frag needed but DF set, etc. As you found out type 11 is needed for traceroute to work -- ie TTL 0 during transit kind of required to find the different hops now isnt it ;)

I would suggest you get a router that allows you the fine control so you can do it the right way.. Rate control of ICMP for example would protect you against a icmp based DOS. You would normally block fragmented ICMP, etc.. etc..

A simple google will find you all kinds of guides on what aspects of ICMP to allow and or deny.. Here is a fairly decent guide that goes over the different types and codes of ICMP.. Which ones to block which to allow, etc.

http://www.daemon.be/maarten/icmpfilter.html

Here is another http://www.cymru.com/Documents/icmp-messages.html

And another http://www.bsi.bund.de/english/gshb/manual/s/s05120.htm

These are just a few examples going over the different types and codes of ICMP, what you might want to filter and what you should not, etc. There are many many guides.. But anything that tells you should should block all ICMP is just plain asinine and will cause you way more issues than any type of protection it might provide..

I have to wonder when was the last time your home ISP connection was hit with a icmp based DOS ;) So what if worm X looking to exploit you can get an echo back from your public IP -- who really gives a rats ass??? Your router/firewall is not going to allow the traffic it might try sending your way anyway.

If you router/router does not allow you the fine control to correctly manage what ICMP you can allow or not allow -- then allow it for sure.