• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Is blocking incoming IPv6 ping a good idea?

Started by evantkh, February 04, 2015, 05:45:42 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

evantkh

February 04, 2015, 05:45:42 AM
For security. Will it cause protocols malfunction? Other ICMP error signals are not filtered.

cholzhauer

#1
February 04, 2015, 05:46:21 AM
Yes, it's a bad idea.

No, you shouldn't block it.

evantkh

#2
February 04, 2015, 05:48:17 AM
Quote from: cholzhauer on February 04, 2015, 05:46:21 AM
Yes, it's a bad idea.

No, you shouldn't block it.

What will goes wrong?

broquea

#5
February 04, 2015, 05:56:57 AM Last Edit: February 04, 2015, 06:03:09 AM by broquea
Blocking ICMP does nothing for security. Nothing. Someone could still flood-ping your host and cause issues even with it filtered at your side, because your upstream isn't filtering/rate-limiting it.

Rate limit ICMP if anything. Still doesn't fix an attack vector if the upstream isn't doing the same for you.

Someone gets more data about you from you connecting to their services, than them knowing that your host responds to a ping.

Unless you are doing this on something that can process millions or close to a billion pps, your side loses every time.

cholzhauer

#6
February 04, 2015, 05:57:14 AM
Quote
I am only blocking incoming echo request...

You never mentioned that.

Quote
At the same time, I see a lot of IPv6 sites not pingable.

Doesn't mean it's right.

evantkh

#7
February 04, 2015, 05:59:42 AM Last Edit: February 04, 2015, 06:02:52 AM by evantkh
Quote from: broquea on February 04, 2015, 05:56:57 AM
Blocking ICMP does nothing for security. Nothing.
Rate limit ICMP if anything.
Someone gets more data about you from you connecting to their services, than them knowing that your host responds to a ping.

The incoming ICMP rate is also limited by default on my router.
Do you mean just blocking incoming echo request does not have problem unless someone to test whether an endpoint is reachable by using ping?

I want to at least hide the IP using by the machines and can only be discovered after doing a port scan.
At the same time, most of the incoming traffic is blocked unless I expicitly allow them like allow forward incoming port 80 to an IP.

evantkh

#8
February 04, 2015, 06:00:30 AM
Quote from: cholzhauer on February 04, 2015, 05:57:14 AM
Quote
I am only blocking incoming echo request...

You never mentioned that.

Quote
At the same time, I see a lot of IPv6 sites not pingable.

Doesn't mean it's right.

I have said that other ICMP error signals are not filtered, including Time Exceeded etc.

broquea

#9
February 04, 2015, 06:23:06 AM
QuoteI want to at least hide the IP using by the machines and can only be discovered after doing a port scan.

And when that port scan of that one /64 finishes in the year 2525, I'm certain that host will have long since stopped responding. Again, this doesn't hide anything. The moment you connect to or through any service, your host is known. Promoting the idea that blocking ICMP is security, is false.

evantkh

#10
February 04, 2015, 07:30:58 AM
Quote from: broquea on February 04, 2015, 06:23:06 AM
QuoteI want to at least hide the IP using by the machines and can only be discovered after doing a port scan.

And when that port scan of that one /64 finishes in the year 2525, I'm certain that host will have long since stopped responding. Again, this doesn't hide anything. The moment you connect to or through any service, your host is known. Promoting the idea that blocking ICMP is security, is false.

Then why ISPs block echo request in Ipv4 networks?

In fact, I am blocking echo request on the router rather than on the server/computer to prevent from ICMP inbound traceroute.

broquea

#11
February 04, 2015, 09:35:00 AM
QuoteThen why ISPs block echo request in Ipv4 networks?

Because people propagate the myth that blocking ICMP is a security benefit.

evantkh

#12
February 04, 2015, 04:43:01 PM
Quote from: broquea on February 04, 2015, 09:35:00 AM
QuoteThen why ISPs block echo request in Ipv4 networks?

Because people propagate the myth that blocking ICMP is a security benefit.

How to block outgoing hop limit exceeded with ip6tables? Prevent from traceroute.

passport123

#13
February 05, 2015, 08:58:59 AM
Quote from: broquea on February 04, 2015, 09:35:00 AM
QuoteThen why ISPs block echo request in Ipv4 networks?

Because people propagate the myth that blocking ICMP is a security benefit.

At one point, many years ago (late 1990's?), Windows suffered from the "ping of death" exploit.  At that time, IPv4 pings were widely blocked, and I suspect many have just not unblocked them.
Print
Go Up Pages1
User actions