• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Is blocking incoming IPv6 ping a good idea?

Started by evantkh, February 04, 2015, 05:45:42 AM

Previous topic - Next topic

evantkh

For security. Will it cause protocols malfunction? Other ICMP error signals are not filtered.

cholzhauer

Yes, it's a bad idea.

No, you shouldn't block it.

evantkh




broquea

#5
Blocking ICMP does nothing for security. Nothing. Someone could still flood-ping your host and cause issues even with it filtered at your side, because your upstream isn't filtering/rate-limiting it.

Rate limit ICMP if anything. Still doesn't fix an attack vector if the upstream isn't doing the same for you.

Someone gets more data about you from you connecting to their services, than them knowing that your host responds to a ping.

Unless you are doing this on something that can process millions or close to a billion pps, your side loses every time.

cholzhauer

Quote
I am only blocking incoming echo request...

You never mentioned that.

Quote
At the same time, I see a lot of IPv6 sites not pingable.

Doesn't mean it's right.

evantkh

#7
Quote from: broquea on February 04, 2015, 05:56:57 AM
Blocking ICMP does nothing for security. Nothing.
Rate limit ICMP if anything.
Someone gets more data about you from you connecting to their services, than them knowing that your host responds to a ping.

The incoming ICMP rate is also limited by default on my router.
Do you mean just blocking incoming echo request does not have problem unless someone to test whether an endpoint is reachable by using ping?

I want to at least hide the IP using by the machines and can only be discovered after doing a port scan.
At the same time, most of the incoming traffic is blocked unless I expicitly allow them like allow forward incoming port 80 to an IP.

evantkh

Quote from: cholzhauer on February 04, 2015, 05:57:14 AM
Quote
I am only blocking incoming echo request...

You never mentioned that.

Quote
At the same time, I see a lot of IPv6 sites not pingable.

Doesn't mean it's right.

I have said that other ICMP error signals are not filtered, including Time Exceeded etc.

broquea

QuoteI want to at least hide the IP using by the machines and can only be discovered after doing a port scan.

And when that port scan of that one /64 finishes in the year 2525, I'm certain that host will have long since stopped responding. Again, this doesn't hide anything. The moment you connect to or through any service, your host is known. Promoting the idea that blocking ICMP is security, is false.

evantkh

Quote from: broquea on February 04, 2015, 06:23:06 AM
QuoteI want to at least hide the IP using by the machines and can only be discovered after doing a port scan.

And when that port scan of that one /64 finishes in the year 2525, I'm certain that host will have long since stopped responding. Again, this doesn't hide anything. The moment you connect to or through any service, your host is known. Promoting the idea that blocking ICMP is security, is false.

Then why ISPs block echo request in Ipv4 networks?

In fact, I am blocking echo request on the router rather than on the server/computer to prevent from ICMP inbound traceroute.

broquea

QuoteThen why ISPs block echo request in Ipv4 networks?

Because people propagate the myth that blocking ICMP is a security benefit.

evantkh

Quote from: broquea on February 04, 2015, 09:35:00 AM
QuoteThen why ISPs block echo request in Ipv4 networks?

Because people propagate the myth that blocking ICMP is a security benefit.

How to block outgoing hop limit exceeded with ip6tables? Prevent from traceroute.

passport123

Quote from: broquea on February 04, 2015, 09:35:00 AM
QuoteThen why ISPs block echo request in Ipv4 networks?

Because people propagate the myth that blocking ICMP is a security benefit.

At one point, many years ago (late 1990's?), Windows suffered from the "ping of death" exploit.  At that time, IPv4 pings were widely blocked, and I suspect many have just not unblocked them.