---
title: Inbound ICMP access to the host should be restricted
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Inbound ICMP access to the host should
  be restricted
---

# Inbound ICMP access to the host should be restricted
 
## Description{% #description %}

Reduce the probability of a breach by checking [EC2 security groups](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) for inbound rules that allow unfettered access to host using the Internet Control Message Protocol (ICMP), a protocol commonly used to troubleshoot TCP/IP networks and deliver IP packets, and restrict access.

## Rationale{% #rationale %}

Malicious activity, such as denial-of-service (DoS) attacks and Smurf/Fraggle attacks, can occur when permitting unfettered access to this port.

## Remediation{% #remediation %}

### From the console{% #from-the-console %}

Follow the [Security group rules](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules) docs to learn how to restrict access to host using the ICMP.

### From the command line{% #from-the-command-line %}

1. Run `describe-security-groups` with a filter to [expose security groups](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) that allow access to host using ICMP.

In the `describe-security-group.sh` file:

   ```bash
       aws ec2 describe-security-groups
   	    --filters Name=ip-permission.protocol,Values=icmp Name=ip-permission.cidr,Values='192.0.2.0/24'
   	    --query 'SecurityGroups[*].{Name:GroupName}'
       
```