It’s amazing how many system administrators prefer to block ICMP pings. Many don’t even remember the classic justification for it – to prevent the Ping of Death attack: it was a concern some 10 years ago. So perhaps they are following the least privilege principle? Well, the principle is to take away unneeded access.
And this is where paranoia fails the admins. Ping is not a necessity but it’s bloody useful, for many reasons:
- It’s very convenient way of checking connectivity – one that you can talk through over the phone, with an average user on the other end;
- ICMP ping with increasing buffer sizes is actually the best way to troubleshoot MTU issues, stil occuring a lot (especially in the organisations that use excessive arrays of redundant firewalls);
- The protocol doesn’t create much load on the system;
- Ping monitors are good complement to application-aware availability monitoring systems;
- And allowing ICMP ping to reach your system/network and monitoring its use is a very good basic honeypot. Every intrusion starts with exploration, and the first step of active exploration is usually a ping (as an initial stage of nmap). On the other hand, only sys. admins and other support personnel have legitimate need for using ping. So exceptions should raise questions.
Allowing ping is easy. This is how you do that in Windows Firewall:
In enterprise firewalls, that’s not much harder. So I suggest – change your defaults to allow ping!