The Power of PING

Ping is a network tool within the ICMP protocol, tests the reachability of network devices within an IP (Internet Protocol) environment.  In addition to determining if a device is accessible or alive, it also measures the roundtrip time for messages sent from an origination device, to a destination device, and echoed back to the original device.

There are debates over whether network administrators should block ICMP or not.  Those for blocking point out one key trademark of any security best practices, “depth in defense”; a military strategic term that functions on the premise that as an incursion progresses, resources are consumed (in cybersecurity world, that resource is TIME), and progress is slowed until it is halted and turned back.  In fact, depth in defense is a technique that is encouraged by the North American Electric Reliability Corporation (NERC), the body for protecting our electric critical infrastructure.

By blocking ICMP, you are eliminating the ability to perform an ICMP sweep which essentially involves sending a series of ICMP request packets to the target network range and from the list of ICMP replies infer whether certain hosts are alive and connected to the target’s network for further probing. This is not so much of an attack, as it is a reconnaissance to better understand the environment and attack surface.  By gathering information quickly about the network layout, you are then able to plan a proper attack approach and employ the right techniques and tools for a later attack.  By not providing attackers a clear network map, you are essentially blinding the attackers to your network, increasing the time it would take to plan an attack; sort of like playing Rogue in 1980.  It is an attack scenario that very much could have played out in 2019, when Russian hackers into the North America Electric grid and where able to penetrated from the utilities firewall all the way through to the control network deep inside the network.

Rogue:1980 – Like being blind in a nework

ICMP also plays a critical role in network performance; particularly surrounding Path MTU discovery.  PMTUD determines the max transmission size between two devices on an IP network, with the goal of avoiding IP fragmentation. By determining the MTU max size, IP fragmentation can reduce the size of the packets to pass through the bottleneck, and then re-assembled by the receiving host without losing packets.  By blocking ICMP, you are also blocking the error messages that are necessary for proper PMTUD operations.  This can result in connections that complete the TCP three-way handshake correctly, but then hang when data is transferred, thus degrading performance.

This puts network administrators in a conundrum.  Dammed if you do, dammed if you don’t.  So what are the options?  Disabling Echo Request and Echo Reply (IPv4 – Echo Request (Type8, Code0) and Echo Reply (Type0, Code0) / IPv6 – Echo Request (Type128, Code0) and Echo Reply (Type129, Code0) will stop the ping sweeps, and Enabling Fragmentation Needed and Packet Too Big (IPv4 – (Type3, Code4) / IPv6 – (Type2, Code0) will allow for PMTUD.

Instead of just blocking all ICMP, break out the parts that help with security from the parts that help with performance – then you can experience the True Power of PING!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: