Hi everybody, Right now, we are blocking pings and traceroutes to our website. But, in order for our members to test the connection when they are experiencing slow browsing, we are thinking about unblocking them... Are there still any security issues (flooding, etc...) in enabling them or is that an old problem fixed a long time ago? Thanks, JD
On 1/23/09, John Doe <jdmls at yahoo.com> wrote:> Hi everybody, > > Right now, we are blocking pings and traceroutes to our website. > But, in order for our members to test the connection when they are experiencing slow browsing, we are thinking about unblocking them... > Are there still any security issues (flooding, etc...) in enabling them or is that an old problem fixed a long time ago? > > Thanks, > JDCan't help you on that specific question. However do you have the luxury of having your members coming from a block of IPs so you could open pings to that block only. Even if it included more than just your members (i.e. all pings from a particular ISP or geographical area) at least it would reduce your visibility thus reduce your vulnerability should it be an issue. Jacques B.
John Doe wrote:> Hi everybody, > > Right now, we are blocking pings and traceroutes to our website. > But, in order for our members to test the connection when they are experiencing slow browsing, we are thinking about unblocking them... > Are there still any security issues (flooding, etc...) in enabling them or is that an old problem fixed a long time ago? >a denial of service by ping flooding is going to swamp your connection whether or not your server ignores them. if you're paranoid you can use iptables to rate limit ICMP responses.
On Fri, Jan 23, 2009 at 12:16 PM, John Doe <jdmls at yahoo.com> wrote:> Right now, we are blocking pings and traceroutes to our website. > But, in order for our members to test the connection when they are experiencing slow browsing, we are thinking about unblocking them... > Are there still any security issues (flooding, etc...) in enabling them or is that an old problem fixed a long time ago?Our two web sites do permit ping. I like to ping them from time to time, for various reasons. Both have dedicated IP addresses. The one time one of our sites was attacked, years ago, was someone connecting to the POP3 server every second. Nothing to do with ping or traceroutes. However, I do not permit our ADSL router at home to be pinged. For security reasons, I think allowing it to be pinged just increases the possibility someone might try to get in. As a previous reply stated, it may be against the rules to turn it off for your web site.