matousec.com (site map)

Poll

On Windows 7 (or Vista) I use

  unlimited administrator's account (57.94%)

  limited administrator's account (16.4%)

  common user's account (13.64%)

  nothing (I do not use Win 7/Vista) (14.26%)

more

results

Blog

ICMP blocking, bad idea or security improvement? (2006/07/16 11:58)

Are you invisible to hackers on the Internet? Do your personal firewall hides your computer on the network? Many personal firewalls implement features that hide your computer on the network. You may wonder how this works but have you ever thought about what is this feature good for?

From what can be seen on many boards over the Internet it is clear that many users thinks that having such feature enabled improves the security of their computer. Let's have a look on technical aspects of this feature and shed some light on its security impact.

To understand how this works we need some basic knowledge about networking. There exists many network protocols. Probably the most known in public is TCP. It is used for many services, for example we can take email or web sites. Another well known protocol is UDP. This protocol is used for example for Domain Name System or streaming. Both protocols works over IP. There exists another protocol called ICMP on the same level as IP. This protocol is used for diagnostic or routing purposes.

Now, how is this info connected with the invisibility feature provided by personal firewalls? In fact the only thing these firewalls do to hide your computer on the network is that they disable responding to ICMP. There exists an ICMP request called Echo Request which is also known as ping. Ping is used to determine whether some host on the network is alive or not. When your firewall is set to hide your computer it just refuses to respond to ping attempts and thus it does not seem that your computer is alive.

Is this a security improvement? No! In fact disabling ICMP can only cause problems. There is no known bug in implementation of ICMP handling on current versions of major operating systems including Microsoft Windows. There is no sensitive information provided by standard ICMP handlers and thus it has no security impact to leave your machine response to ICMP correctly. Moreover, RFCs, sources of many Internet standards, that speak about ICMP strictly order every host in the network to respond to ICMP correctly. As mentioned above, ICMP is just a protocol for diagnostic or routing purposes. It is not true that with disabled ICMP you can not become a target of the attack of some Internet malware. Attacking software is usually implemented to attack services on their TCP and UDP ports directly without checking whether the host is alive using pings.

Another argument that is spoken on the web is that using ICMP an attacker can detect what OS you are running and thus responding to ICMP is dangerous. This argument is false. At first it is good to know how the remote OS detection works. A comprehensive document about techniques of remote OS detection is available on the site of makers of well known network tool called Nmap. You can read there that these techniques are mostly based on an analysis of communication with services behind open TCP or UDP ports. If your machine has no TCP or UDP ports opened and it just correctly responses to ICMP, Nmap is not able to detect your operating system. Moreover, even if your operating system is detected it is not a security problem at all. Unless there are vulnerable points in your system security this information is useless.

If we compare pros and cons of ICMP we must conclude that disabling ICMP is a bad idea. Simply look at all those big servers on the Internet. Are they pingable or not? Some are and some are not. If it was a security flaw you would not be able to ping google.com or yahoo.com.

We were also able to find some online firewall tests. The first was ShieldsUP!, another one is Sygate's Quickscan (does not exist any more, has been integrated into Symantec Security Check). One part of the first scan resulted with this message:

Ping Reply: RECEIVED (FAILED) ?? Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.

The second test also reported warning on allowed ICMP:

An ICMP ping request is usually used to test Internet access. However, an attacker can use it to determine if your computer is available and what OS you are running. This gives him valuable information when he is determining what type of attack to use against you.

As we mentioned before, these alerts are false. On the other hand there are scanners like those four tests on HackerWatch that do not consider enabled ICMP as a security problem.