North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: ICMP Blocking Woes

  • From: Crist Clark
  • Date: Mon Sep 29 13:08:07 2003

CA Windon wrote:
> 
> Dear NANOG-ers,
> 
> I work for an information security company that is
> dependant upon ICMP for network mapping purposes
> (read: traceroute).  On or about August 18, we were
> told, our upstream provider began blocking ICMP
> packets at its border in the Chicago NAP in an effort
> to cut down on the propagation of 'MSBlast'.  This has
> effected our ability to accurately map our customers
> networks.
> 
> We've been in contact with an engineer in this
> provider's NOC who is either unable or unwilling to
> remove this ACL for our block of IPs.
> 
> Currently, we've been given two options.  (1) Deal
> with the effect of the ACL until 'MSBlast' traffic
> subsides, or (2) they are willing to reroute our
> traffic out of the Chicago NAP to a border router
> that, they claim, does not have the same ACL.  The
> problem with option 2 is that they would force us to
> renumber.  This is a problem for us, as it would
> impact our customers as well.
> 
> What options can I take to my management that would
> cause the least impact to the services we provide
> while not causing undue work for our clients.  Also,
> what other options could I suggest to my upstream
> provider?

Blocking ICMP in no way slows or prevents the propagation of MSBlaster.
ICMP echo requests and responses are, however, a byproduct of the 
Welchia/Nachi worm and blocking this traffic will prevent the worm's
spread.

Tell your ISP it need _at most_ block ICMP echoes. If they are blocking
ICMP unreachables, which would break your traceroutes, they have broken
the Internet Protocol. (Period.) One can even be more specific about 
blocking ICMP echo requests of a certain, atypical size to stop the Welchia
pings while letting other ICMP pass. See the list archives for detailed
instruction for how to do this for a variety of router platforms.
-- 
Crist J. Clark                               [email protected]
Globalstar Communications                                (408) 933-4387

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.
If the reader of this e-mail is not the intended recipient, or the
employee or agent responsible to deliver it to the intended recipient,
you are hereby notified that any review, dissemination, distribution or
copying of this communication is strictly prohibited.  If you have
received this e-mail in error, please contact [email protected]