This is probably a stupid question and I’m only in my first semester of an accelerated program so I apologize if what I’m asking seems obvious. This chapter, we are learning about ACLs and in the reading it says:

“Several ICMP messages are required for proper network operation and should be allowed to exit the network:

Echo-Allows users to ping external hosts….”

​

So I guess what I really should be asking is is it possible to just generate an echo reply and use this to work around using ACLs to mitigate ICMP abuse? Or is there something I’m not understanding about echo replies such as some form of identifier in the frame header?

My first time posting so if I’m missing something or violating a posting rule please let me know!

Share This Discussion

2 Comments

  • Kv603

    November 12, 2021

    Nearly every modern edge firewall uses [true “stateful” ACLs](https://en.wikipedia.org/wiki/Stateful_firewall), meaning that a packet which is permitted as a reply would only be allowed when a corresponding initiating request “session” (or state entry in the case of a connectionless protocol) exists.

    > So I guess what I really should be asking is is it possible to just generate an echo reply and use this to work around using ACLs to mitigate ICMP abuse? Or is there something I’m not understanding about echo replies such as some form of identifier in the frame header?

    The first allowed outbound echo-request packet [establishes a very simplistic state](https://networkdirection.net/articles/firewalls/icmpinspection/), allowing inbound only a packet which reasonably resembles an echo-reply packet for that session.

    Reply
  • reds-3

    November 12, 2021

    If you’re asking if you can craft a packet that has a manipulated type and code, generating an unsolicited icmp reply, the answer is yes.

    Reply

Leave a Comment

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.