What are reasons to disallow ICMP on my server?

ICMP consists of a large collection of commands. Disallowing all of those will break your network in strange ways.

ICMP allows things like "traceroute" and "ping" (ICMP echo request) to work. Thus that part is quite useful for normal diagnostics. It also is used for feedback when you run a DNS server (port unreachable) which, in a modern DNS server, may actually help select a different machine to query faster.

ICMP is used for path MTU discovery. Chances are your OS sets "DF" (do not fragment) on TCP packets it sends. It is expecting to get an ICMP "fragmentation required" packet back if something along the path fails to handle that size of packet. If you block all ICMP, your machine will have to use other fallback mechanisms, which basically use a timeout to detect a PMTU "black hole" and will never optimize correctly.

There are probably a few more good reason to enable most of ICMP.

Now as your question why to disable:

Reasons to disable part of ICMP are:

  • Protection from old style worms which used ICMP echo request (aka ping) to see if a host was alive before trying to attack it. These days, a modern worm tries it anyways, making that no longer effective.
  • Hiding your infrastructure. If you want to do this, then please block it at the edge of your network. Not on every single computer. That will just cause your admin to pull all the hair from his or her head in frustration when something goes wrong and all the normal analysis tools fail. (In this case: Amazon could block it at the edge of the cloud).
  • Denial of service attacks based on ICMP. Handle these the same as other DOS attacks: Rate limit.
  • The only valid one: If you are on an unsafe network, you might want to block or disable the router has changed command. Obfix: use your servers on a safe network.

Note that there are 'server hardening' manuals out there that advise to block ICMP. They are wrong (or at least not detailed enough). They fall in the same category as wireless 'security' via MAC filtering or hiding the SSID.


ICMP blocks are done for a couple reasons, but mostly to hide information from probes attempting to identify and profile your network. There are also several types of attacks on routers and publicly accessible end-systems that use ICMP traffic as part of the exploit.

in your case, you can probably allow echo responses, though that cause you to be noticed by more probes. attacks like ping-based DDOS and smurf attacks are largely mitigated these days.

http://en.wikipedia.org/wiki/Denial-of-service_attack#ICMP_flood