Nearly all networked systems and routers have many services automatically activated for the convenience of the administrator. These features, enabled by default, often provide attackers points of entry to gather information or gain access into the router. Since each service provides a possible access point, it is important to turn off all services that are not needed or that are security risks.
The Internet Control Message Protocol (ICMP) enhances network functionality and is invaluable for testing network connectivity and determining network paths. No one troubleshooting a network problem would want to be without the ability to ping and traceroute. ICMP also provides incredible functionality that an attacker can manipulate to collect vast amounts of information about your routers, your network topology, and the systems on your network.
It is extremely difficult to keep a determined attacker from discovering information about any system attached to the Internet. However, the recommendations that follow will make that job harder and keep casual attackers from finding your network attractive.
Many sites choose to deny all ICMP packets into and out of their networks. This solution almost works. The only ICMP message type that causes problems when disabled is maximum transfer unit (MTU) discovery. MTU discovery optimizes the size of packets between two systems. Disabling MTU can cause severe performance problems. It ...