50 [5] At one time, you could test your site by going to http:www.netscan.org , but this site seems to have disappeared. Finally, as a good network citizen, you should install filters on your access router to prevent packets that have a source address not on your network from leaving your network. This limits not only Smurf Attacks but also other attacks based on spoofed addresses from originating on your network. These filters should also be applied to internal routers as well as access routers. This assumes you are providing forwarding for other networks If you follow these steps, you should not have to disable ICMP traffic. For more information on Smurf Attacks, including information on making these changes, visit http:www.cert.orgadvisoriesCA- 1998-01.html . You might also look at RFC 2827.

3.3.3.3 Ping of Death

The specifications for TCPIP have a maximum packet size of 65536 octets or bytes. Unfortunately, some operating systems behave in unpredictable ways if they receive a larger packet. Systems may hang, crash, or reboot. With a Ping of Death or Ping o Death Attack, the packet size option for ping is used to send a slightly oversized packet to the victims computer. For example, on some older machines, the command ping -s 65510 172.16.2.1 use -l rather than -s on old Windows systems will send a packet, once headers are added, that causes this problem to the host 172.16.2.1. Admittedly, I have some misgivings about giving an explicit command, but this has been widely published and some of you may want to test your systems. This is basically an operating system problem. Large packets must be fragmented when sent. The destination will put the pieces in a buffer until all the pieces have arrived and the packet can be reassembled. Some systems simply dont do adequate bounds checking, allowing memory to be trashed. Again, this is not really a problem with ping. Any oversized packet, whether it is an ICMP packet, TCP packet, or UDP packet, will cause the same problem in susceptible operating systems. Even IPX has been mentioned. All ping does is supply a trivial way to exploit the problem. The correct way to deal with this problem is to apply the appropriate patch to your operating system. Blocking ICMP packets at your router will not protect you from other oversized packets. Fortunately, most systems have corrected this problem, so you are likely to see it only if you are running older systems. [6] [6] For more information on this attack, see http:www.cert.orgadvisoriesCA-1996-26.html .

3.3.3.4 Other problems

Of course, there may be other perceived problems with ping. Since it can be used to garner information about a network, it can be seen as a threat to networks that rely on security through obscurity. It may also be seen as generating unwanted or unneeded traffic. For these and previously cited reasons, ICMP traffic is frequently blocked at routers. Blocking is not the only difficulty that routers may create. Routers may assign extremely low priorities to ICMP traffic rather than simply block such traffic. This is particularly true for routers implementing quality of service protocols. The result can be much higher variability in traffic patterns. Network Address Translation NAT can present other difficulties. Ciscos implementation has the router responding to ICMP packets for the first address in the translation pool regardless of whether it is being used. This might not be what you would have expected. 51 In general, blocking ICMP packets, even just ECHO_REQUEST packets, is not desirable. You lose a valuable source of information about your network and inconvenience users who may have a legitimate need for these messages. This is often done as a stopgap measure in the absence of a more comprehensive approach to security. Interestingly, even if ICMP packets are being blocked, you can still use ping to see if a host on the local subnet is up. Simply clear the ARP table typically arp -ad, ping the device, and then examine the ARP table. If the device has been added to the ARP table, it is up and responding. One final note about ping. It should be obvious, but ping checks only connectivity, not the functionality of the end device. During some network changes, I once used ping to check to see if a networked printer had been reconnected yet. When I was finally able to ping the device, I sent a job to the printer. However, my system kept reporting that the job hadnt printed. I eventually got up and walked down the hall to the printer to see what was wrong. It had been reconnected to the network, but someone had left it offline. Be warned, it is very easy to read too much into a successful ping.

3.3.4 Alternatives to ping