OK, it might be time for a small clue-fest.
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
[...]
> Thanks to all for the replies so far. Here is a note from our Firewall
> admin on one of the suggestions. Any comments?
>
> Thanks
> Barry
>
[Barry's firewall admin]
> >Sorry Barry, but I disagree with that statement. We need to block
> >multiple icmp requests. Hackers can use it as a tool to scan other
> >services on the network. By blocking them after 4 attempts.
> We stop
> >them before they can discover more about the network.
Your firewall admin's heart is in the right place, but is mistaken. You really really should allow some ICMP into the network. The unreachables, for a start, and I would strongly recommend that you allow packet-too-big. Those types are useless for scanning. They _can_ be used as a covert channel (for tunneling exploits) but things like SSL or HTTP are easier and faster.
[FW admin again]
> >MTU discovery on the internet is useless and bandwidth consuming.
> >MTU discovery should only be used on an ethernet network to
> determine
> >packet size on the network.
I've never before heard a statement which is _completely_ wrong. PMTU-D is _only_ ever useful when the path MTU changes somewhere in the path. In an ethernet network there is no path - it's one hop - so MTU-D is useless. In other words PMTU-D is pretty much _only_ useful on the Internet and is bandwidth _saving_ (larger MTU means less percentage of bandwidth lost in packet headers).
> >>Stop ICMP protocol is a bad idea on an IP network like internet.
> >> Just block echo request, but not the whole ICMP.....
I don't know who said that, but it's half right. You should block some ICMP and allow some. As I said, I usually recommend allowing all unreachables and packet-too-big - that's a fairly secure stance which is probably good enough unless you have special needs.
[Barry again]
> Seems [the ISP is] sending ICMP packets for PMTU discovery, so the Firebox sees these ICMP
> packets as a possible DoS attack and locks out the domain.Seems the frequency has
> increased to several packets per second at worst.
> The ISP says they are just following standard RFC1191 protocols, but something has to have
> changed as we haven't had this problem before.
Something's getting confused here. Explicit ICMP probes are not part of the PMTU-D process. Path MTU discovery is a way for IP 'sessions' to discover the best MTU and TCP MSS by themselves. ICMP is only used to tell the IP or TCP layer that it's scaled up far enough.
Maybe PMTU-D is turned on on your mail server and you're blocking the return ICMP errors? That's bad (and would be your fault). What sort of ICMP packets are being sent here?
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
