Should I Block ICMP?

5/21/2025 at 11:41:30 PM

ISP: No you should definitely have ICMP available for testing.

SAAS Engineer: Leave it on so I can tell when your shit goes down without having to consult your service status page.

Sysadmin: I really dont care what you do, just enable it when you raise a complaint with your ISP so they can tell you what you broke.

Residential: Your TP Link hyper dreadnought super hawk that is taking up every inch of the 5ghz indoor spectrum in your home is probably already blocking icmp for you. Its probably also already part of a botnet. YMMV.

by protocolture

5/21/2025 at 11:56:45 PM

> Sysadmin: I really dont care what you do

Dropping ICMP breaks path MTU discovery (PMTU). It's the biggest reason why sites break when accessed (or served) over VPNs. This is often mitigated on the server, or in NAT-ing routers, by clamping TCP MSS, but that doesn't really resolve the problem. It doesn't fix it for UDP, nor likely for double VPN scenarios, etc, plus you're just losing bandwidth that way.

Some people make fatalistic arguments that even if they allow ICMP, something downstream may not have, so it's futile. But the networks in the middle rarely if ever block ICMP; those engineers know better. The real issue is on the ends. If you're a sysadmin dropping ICMP, you're half the problem. Fix ICMP on your end, and half the problem goes away. The other half of the problem are those NAT-ing routers, firewalls, and VPNs that don't handle ICMP properly. You can't fix those, but plenty of residential and commercial equipment on the other end, as well as VPN setups, actually do the right thing. Don't make perfect the enemy of better.

by wahern

5/22/2025 at 1:02:15 AM

You are absolutely correct, but also, I am already having to clamp MTU for most business customers anyway, for a hundred reasons.

The issue is that sysadmins make this the ISP's issue anyway. They wont do any kind of investigation but simply yell at the telco. Telcos are ready willing and able to clamp. Its as natural as breathing at this point.

The only thing that gets me is when the some small business refuses to enable ICMP for troubleshooting when they raise a complaint. You have to come to the table at least that far.

by protocolture

5/22/2025 at 1:09:30 AM

> small business refuses to enable ICMP for troubleshooting

Depending on your definition of small business, asking someone "hey can you enable ICMP real quick" is like asking them "hey can you build a rocket ship while skydiving?"

by Avicebron

5/22/2025 at 1:13:24 AM

Comes from all sides. Mom and Pop running a small store, refuse on the grounds of not wanting to change a setting on their router.

Small as in <100 employees. The IT guy doesnt want to change anything, hes been there 20 years and never changed that setting. Or he needs to go through change management which he is also adverse to.

by protocolture

5/22/2025 at 8:15:56 AM

the problem is ICMP can be abused for attacks like ICMP flood, ICMP smurf, because src.ip can be easily spoofed.

its very easy and cheap to saturate a link with flood traffic, but fixing this issue requires large investments in big expensive firewalls that can block these stupid attacks

by slt2021

5/22/2025 at 1:34:45 PM

> ICMP smurf

IP stacks haven't responded to broadcast pings for ≥20 years now. If you find one that does, please report it so it can get fixed.

> because src.ip can be easily spoofed

Operators have been pushing to get BCP38 everywhere for ≥ 20 years now. If you find one that doesn't do it, please report it so I can depeer and shame them on public mailing lists.

> ICMP flood

So you'll just get flooded with UDP instead (cf. sibling comment).

by eqvinox

5/22/2025 at 9:57:45 AM

DNS and SNMP with a spoofed src IP have higher amplification factor and the root of the problem here are ISP which allow they customers to spoof src IP.

by citrin_ru

5/22/2025 at 4:38:04 PM

Are you blocking UDP, too?

by yjftsjthsd-h

5/22/2025 at 1:01:55 AM

> Residential: Your TP Link […] is probably already blocking icmp for you.

If it does, it generally won't pass telco CPE certification, i.e. Comcast and the likes won't be selling it to you in any bundle. Blocking ICMP Fragmentation Needed / ICMPv6 Packet Too Big is a hard fail on all of those, other message types can vary.

(Source: I work in this area.)

[Ed.: to be clear, there is no single "telco CPE certification"; each telco decides this on their own. A bunch of them form groups/"alliances" though, and a lot of the certification requirements are the same everywhere.]

by eqvinox

5/22/2025 at 1:11:37 AM

Inbound echo request and echo reply are almost always blocked in my experience.

by protocolture

5/22/2025 at 1:27:24 AM

Which is ≈mostly≈ fine; I'm just saying people in appropriate places (deciding which CPEs get sold to you) have gotten rather touchy about the PMTU bits. And rightfully so!

by eqvinox

5/22/2025 at 4:08:32 AM

Absolutely.

I supported a mid size WISP for 2 years and something like 60% of the issues they sent my way were ultimately resolved with MSS Adjust or MTU clamping.

by protocolture

5/22/2025 at 1:45:09 AM

> Your TP Link hyper dreadnought super hawk that is taking up every inch of the 5ghz indoor spectrum in your home is probably already blocking icmp for you. Its probably also already part of a botnet

The more spiky black angular antennas you put sticking up on a router that makes it resemble a science fiction movie arachnid-form robot, the faster it goes. This seems to be the universal design language now.

For routers that consumers purchase themselves, the design language seems to have been optimized to look amazing and cool and grab the attention of someone browsing the aisles at the local Best Buy.

by walrus01

5/22/2025 at 2:41:18 AM

I bought a TP Link router to run in AP mode for WiFi 7. It has none of those antennae sticking out. It does have a little grid of LEDs on the front that I have set to the UwU face option though...

by ziml77

5/22/2025 at 1:51:20 AM

My newest router doesn't have any of that shit and works just as well, with at least as much range, as the one it replaced, which had six(!) of those insectoid antenna things.

I wouldn't be surprised if the damn antennas are just empty. They don't seem to serve any purpose.

by alabastervlog

5/22/2025 at 4:18:45 AM

They aren't for range, but for MIMO (exploiting that the signal bounces differently between the antennas either end of the connection, while some antenna pairs behave poorly, others may well be perfect, so it essentially matches them (through a mixing matrix, to be more abstract/generic) to form good pairs that are also independent from another, so they can simultaneously run different data streams over different antennas to severely increase speed.

It also compensates for interference dead spots when you hold your phone into such a spot.

The long sticks typically radiate in the plane normal to the stick, i.e., if you make them all perfectly vertical, they are focused to the same floor. Individual ones can be rotated readily to cover special spots, especially if you have more than 4 antenna.

by namibj

5/22/2025 at 1:44:53 PM

> The long sticks typically radiate in the plane normal to the stick, i.e., if you make them all perfectly vertical, they are focused to the same floor.

I generally recommend just maximizing angles between them, i.e. 90° between 2 or 3 antennas. Wall attenuation & reflections will equalize it out, and you have a lower chance of dead zones. The ≥4th one —on the same radio— is YOLO. Annoyingly enough, for some devices they don't tell you which antenna is on which radio.

by eqvinox

5/22/2025 at 1:42:04 PM

Considering a single radio, the antennas are for MIMO, which in theory is supposed to multiply bandwidth by number of antennas (i.e. 3 antennas = 3× bandwidth). In practice this is highly reliant on signal propagation characteristics in your rooms, particularly including position (and angle!) of all antennas (both senders and receivers). The second antenna is useful, third maybe, fourth is gonna be quite questionable.

However, they also have more than 1 radio these days, and sharing the antennas on them not exactly beneficial; if you have one 2.4GHz, 5GHz and 6GHz radio each, you might as well optimize the antennas for each radio. And even if it's the same band, separate antennas allow you to have distinct radios cover distinct space with different RF propagation characteristics.

(They're not empty, or at least I haven't found any fake ones yet.)

by eqvinox

5/22/2025 at 1:55:32 AM

I wish I knew more about RF engineering to comment, but the impression I get is that they cause more problems with interference than they solve.

by protocolture

5/22/2025 at 1:16:50 AM

No, don’t block ICMP.

Also, implement ssl because it’s trivial and prevents garbage isps from injecting ads.

Third, how about no ads to begin with?

by isatty

5/22/2025 at 1:25:49 AM

Blocking ICMP tends to come with blocking ICMP Unreachables, that happens to handle Path MTU Discovery (PMTUD), which you definitely want on if you work around VPN's at all, or certain ISP's that might not allow a full 1500 byte frame. Microsoft loves to particularly set application traffic to Do-Not-Fragment, and this will play chaos on many Microsoft things if PMTUD is disabled around reduced MTU environments.

It's best left on at least inside a private/protected network.

by bastard_op

5/22/2025 at 3:54:21 AM

Everybody sets traffic to Do-Not-Fragment. Nobody wants their routers to fragment packets anyway; you might as well ask to get a notification when too big packets are dropped.

Nobody wants to have their servers reassemble fragments, it's too much work; many servers just drop any fragments they do get. I ran servers pushing 20 gbps of downloads, and would receive on the order of two fragments per second. It looked legitimate, so I preferred not to disable fragment assembly, but I'd set the reassembly buffer as small as possible; there's no need to keep more than say 16 fragments... if you're getting more than a handful of fragments, it's ddos and that one guy with a weird network will just have to deal. They probably can't use any other sites anyway.

by toast0

5/22/2025 at 12:26:38 AM

Clicked expecting a fat "NO", wasn't even surprised when I saw it.

by rfl890

5/23/2025 at 6:30:32 AM

You aren't wrong..'nd I wrote one of the first Ethernet drivers (for any platform) almost half a century ago and spent a long time at the company that invented twisted pair Ethernet; but sharing MY insight gets me downvoted unless it aligns with pop views and is phrased so as not to amuse or confuse...

If they're going to "Ask HN", they should ask something like "what are most others doing in regards to X" because that's the only information that can be accurately gleaned in this kind of environment; otherwise, consider asking Reddit/Gemini. https://youtu.be/V-SJQdREDKM

by vaxman

5/22/2025 at 12:45:22 AM

Path MTU discovery lives off ICMP. Block ICMP and expect connections to fail.

by truekonrads

5/21/2025 at 11:39:49 PM

Should I block port 80?

by taikahessu

5/22/2025 at 3:18:46 AM

Port 53 isn’t necessary either if you have a good memory for numbers.

by master_crab

5/21/2025 at 11:53:28 PM

Yes. And port 443, too.

by aleph_minus_one

5/22/2025 at 6:08:48 PM

You people jest, but I once worked under a CISO that started an initiative to close all ports on production systems.

Yes, including 80 and 443.

He was purely a GRC monkey that had absolutely zero technical knowledge, he just knew how to check boxes. It took way too long for me to explain to him that closing those ports would take our SaaS down entirely, and I was absolutely appalled that I had to have that discussion and started questioning how the hell this guy became a CISO.

I've heard some people argue that CISOs don't need to be technical, but I wholeheartedly disagree and can't fathom how anybody could think that someone who manages something should be able to get away with not having any knowledge in the field they manage. Like, I get that the IC track and the management track are completely different skillsets, but once you get to that level, you should have both sets of skills. I wouldn't want a CTO that doesn't know how to code, and I'd be terrified of a CFO that doesn't know accounting.

by Sohcahtoa82

5/23/2025 at 12:35:43 PM

I mean I know people value your uptime, but isn't that simply a case of getting the order in writing, a quick CC'd email to the CEO and then putting the site offline as advertised? Some people just don't learn any other way.

by wink

5/23/2025 at 4:46:23 PM

Ah yes, malicious compliance. My favorite!

The thing is, I wouldn't actually have the authority to make the change. I'd have to convince someone from DevOps/SRE to do it, and they were certainly not gonna do it.

by Sohcahtoa82

5/21/2025 at 11:51:55 PM

Should I disable the fan on my cpu?

by tuatoru

5/21/2025 at 11:55:49 PM

In all seriousness, there is fan control software where you can request a speed of 0 when temperature is in a particular range.

by Dwedit

5/22/2025 at 1:26:26 AM

Apple Silicon machines do this

by LoganDark

5/22/2025 at 12:56:59 AM

Only if you leave the spacebar heating config set to off

by labster

5/22/2025 at 1:29:20 AM

Yes if the machine is operating in a vacuum.

by gosub100

5/22/2025 at 1:30:15 AM

I am not a network engineer, but when I hear ICMP, I associate it with consuming CPU on my shitty router and DDos potential. I only block ICMP for unknown external traffic (response to packets not otherwise blocked by firewall, then aggressively rate limit that) and allow it internally. I used to go overboard in the past and learned how annoying it is to not being able to do a simple ping...

by paffdragon

5/22/2025 at 1:40:04 AM

If people can send packets to you, they can DDoS your shitty plastic router CPU regardless of you blocking ICMP or not. And whether your router generates a reply is really ancillary to the question — so long as that reply isn't notably larger than the triggering packet. (Otherwise you're running a reflection amplifier and some people would like to have words with you.)

These days with cheap bandwidth about, the only way to really prevent DDoS is to catch them at the source(s). Hell, I have 25Gbit at home (Init7), I can blow entire small telcos off the internet. Once. Then Init7 terminates my service. And that's really the only thing that can prevent this…

by eqvinox

5/22/2025 at 2:11:06 AM

Fair enough. For me personally it's not that big of a concern. I just remember from a previous network monitoring gig that using ICMP had a few problems with rate limiting. But that wasn't my cheap router at stake. It's probably just something that stuck with me and not that relevant in my context anymore.

by paffdragon

5/22/2025 at 2:05:09 AM

Block icmp don't even fix the cpu issue though, the router still use cpu to decide which packet should be blocked.

If you really care about the cpu usage, you should drop raw traffic instead (when dos from certain ip is detected)

by mmis1000

5/22/2025 at 2:16:41 AM

Indeed. What I meant was that it's cheaper to drop than to generate a reply. But you are right, and I also mentioned in the other reply, that my router wouldn't stand a chance dropping or replying to a DDoS anyway, so probably this concern is not relevant in the home router context.

by paffdragon

5/22/2025 at 5:01:35 PM

It's probably just a result of my incredibly slow home internet, but the CPU part was never an aspect for me. It's primarily related to the wasted bandwidth on the outbound side by sending a reply

by sidewndr46

5/21/2025 at 11:38:05 PM

Its like me blocking youtube on hosts file or even on Pihole or related manually. I realize blocking youtube BREAKS a lot of things in the network.

by babuloseo

5/21/2025 at 11:42:51 PM

What does blocking youtube break, aside from youtube?

by Retr0id

5/21/2025 at 11:47:12 PM

There's a YouTube domain that's somehow a load-bearing part of Google's OAuth login flow.

by gavinsyancey

5/21/2025 at 11:50:51 PM

I’ve never understood this (and really would like to). Why on earth does Google redirect to YouTube and then back to Google when logging in…

The only reason I can think of is to sync user session cookies across domains?

by cj

5/22/2025 at 12:17:46 AM

It's indeed to log you in to multiple Google properties at once. It's not needed for e.g. Gmail (since it's a subdomain under google.com) but YouTube is in its own domain so it has no access to google.com's cookies.

by kaoD

5/22/2025 at 1:20:45 AM

I turned off YouTube for my account using admin.google.com. Doing so causes Google to stop redirecting me to YouTube and back. Of course this also means I'm never logged in while visiting YouTube.

by kccqzy

5/22/2025 at 12:01:26 AM

I guess it's the same reason I go through 4 login screens whenever I want to login to my Microsoft account... Legacy

by jcelerier

5/22/2025 at 12:21:35 AM

I can confirm: it’s because of the syncing session cookies across domains.

I do believe it works if you block just the youtube.com domain and not *.youtube.com

by odo1242

5/22/2025 at 12:24:45 AM

You already know the reason.

In additional to youtube.com, in many cases, they redirect to many countries specific domain as well (e.g google.co.jp)

Youtube is common enough that they want to login on the same flow

by j16sdiz

5/22/2025 at 2:29:40 AM

Other than Chrome browsers don't support third party cookies by default.

by timewizard

5/22/2025 at 12:06:27 AM

Perhaps they want to force companies to not block YouTube.

by UltraSane

5/22/2025 at 4:59:03 AM

Yes, I noticed this. Perhaps due to different handling of logins on both the sites. This could be handled in the backend by not redirecting as well, but therd should have been design choices there.

by prirai

5/21/2025 at 11:48:23 PM

shouldiimplementssl.com

by guyzero

5/22/2025 at 4:41:15 PM

https://doesmysiteneedhttps.com/ , actually

by yjftsjthsd-h

5/22/2025 at 12:51:58 AM

The explanation I've seen before is that it doesn't really matter for websites that don't _want_ anything from you. No credentials, no login forms, no text entry fields.

Maybe there are edge cases associated with this?

by branon

5/22/2025 at 1:05:40 AM

> The explanation I've seen before is that it doesn't really matter for websites that don't _want_ anything from you. No credentials, no login forms, no text entry fields.

Still worth creating a bit of a shield between you and the site to make it just hat much harder for anybody in the middle to inject anything / change anything.

Back before Lets Encrypt made it inexcusable to not have https, it was a common-ish prank to MITM all the HTTP traffic you could see and do something harmless like rotate images 180 degrees.

by baby_souffle

5/22/2025 at 5:09:02 PM

If the argument is that Lets Encrypt make its "inexcusable" to not have HTTPS, then Lets Encrypt effectively controls most of the domains on the internet

by sidewndr46

5/22/2025 at 2:31:04 AM

That also requires either a shared wifi network or ARP spoofing. It's not something that HTTP itself inherently allows.

by timewizard

5/22/2025 at 4:20:06 AM

I am not sure what leads you to answer this way, but I assure you that HTTP, like any other unencrypted network traffic, does inherently allow undetected tampering by any middleman.

While it's highly unlikely that threat actors would be lurking in trusted networks and devices on such a network path, they definitely don't need to use shared WiFi or ARP spoofing if they have control of a core router or transmission line. That's the very essence of MITM attacks.

by AStonesThrow

5/22/2025 at 7:07:24 AM

> I am not sure what leads you to answer this way

Knowledge of facts and history.

What leads people such as yourself to start a response this way? "I'll respond to you but first I'm going to feign ignorance of how you could even say that in a way that adds absolutely nothing to the discussion." I perceive this as exceptionally rude. Am I alone in that?

> does inherently allow undetected tampering by any middleman.

Yes. And did I describe methods by which you can hijack connections to /become/ the middleman? Perhaps you missed the subtle detail.

> That's the very essence of MITM attacks.

The popularized attacks you're describing became popular because they were done with the techniques I described in places like Starbucks and other businesses with open Wifi networks. Here it is, literally:

https://en.wikipedia.org/wiki/Firesheep

by timewizard

5/22/2025 at 5:10:39 PM

Yeah, I don't think it was people snooping on Facebook posts that caused the adoption of TLS at a widespread level. It was the fact that companies realized the NSA & their competitors would use it to attack them at every level.

You don't need ARP spoofing or anything like that to intercept a plaintext communication when you control the ISP

by sidewndr46

5/22/2025 at 7:43:35 AM

Well, I interpreted your reply as implying that the only vectors possible were shared WiFi or ARP spoofing. If you merely intended to offer two examples, then it makes more sense. But I am still not sure why your answers are so irrelevant!

So, I am still unsure that you are clued in here, because the article you have linked to has nothing at all to do with tampering in-flight TCP streams, only sniffing them. Perhaps you do not understand how these principles differ. This shared WiFi scenario certainly permits eavesdropping on unencrypted channels, and that’s a danger that’s distinct from actual MITM.

You claim we’re describing the same thing but we are not.

> did I describe methods

No, actually you didn’t — you named one vector and one mostly unrelated LAN attack. ARP spoofing may be a stepping stone, but not really central.

The attack you describe happens at the application layer, in fact. It doesn’t even need to use TCP. You’re simply stealing someone’s credentials and reusing them in a new browser session. There’s really no way to legitimately describe this as “MITM” — or “tampering” at all. [Your Wikipedia article does not use these terms.]

And in a typical Starbucks installation, nobody would realistically attempt to tamper with in-flight TCP streams. Because that attack would involve some elaborate setup, presenting a higher challenge than the Firesheep attack. I am sure you could explain and describe the former, if you understand the underlying principles.

No, the classic MITM attacks on http do involve neither WiFi nor ARP, but simply interposing malicious code somewhere else on-path. [Actually it is not necessarily malicious, because NAT gateways work by modifying TCP streams too!] That’s why a newer name is called “on-path attack”. And you seem to have omitted that scenario from your comments.

by AStonesThrow

5/22/2025 at 1:44:27 AM

> Maybe there are edge cases associated with this?

Plenty. There are a lot of information-only websites where you might want to keep your visit to yourself.

To give an obvious example: some parts of the United States are trying very hard to make abortion impossible. The state government could mandate that ISPs MitM your traffic, and alert the police when you visit a website giving you information about the legal abortion clinics in a neighboring state. Guess you'll be getting a home visit...

The same is going to apply with looking up info on LGBT subjects, civil rights, Tiananmen Square, a religion not explicitly allowed by the state, whether Eurasia has always been at war with Oceania, and so on. Heck, even a seemingly innocent website visit could theoretically come back to haunt you years later. Just some bored scrolling on Wikipedia? Nope, you were planning a crime - why else were you reading pages about chemical warfare during WW I? That neighbor who died due to mixing bleach and ammonia was obviously murdered by you.

If it's unencrypted, you should assume it's being logged by someone nefarious. Are you still okay with it?

by crote

5/22/2025 at 4:30:21 AM

To be fair, TLS doesn't stop the authorities from performing dragnet searches. Just supeona Google for search keywords, mobile service providers for geofence data, DNS logs, IP logs from ISPs, etc. If that gives them enough for a warrant, they can get emails, SMS, browser history, account data, and detailed location logs. Not to mention license plate readers, surveillance cam footage and financial transactions.

It's honestly surprising that anyone gets away with any significant crimes, given just how much potential evidence is recorded.

by briHass

5/22/2025 at 1:01:56 AM

Without TLS, sometimes still referred to as SSL, a webite's content can be modified by anyone controlling the network path. This includes ISPs and WiFi operators.

Sure, your website may have unimportant stuff on it that nobody relies on, but do you want visitors to see ads in your content that you didn't put there?

by justin_oaks

5/22/2025 at 3:07:48 AM

In addition to what everyone else has said, having everything be encrypted means encryption isn't "special", there's no metadata that indicates that the communication contains secret data due to encryption. If people don't encrypt non-sensitive traffic, then sensitive traffic stands out. So there's a sort of civic duty element to enabling TLS (or using encrypted messaging, etc.).

by SAI_Peregrinus

5/22/2025 at 1:22:51 AM

The website might not be designed to have credentials or login forms, but now you have allowed attackers to place fake login forms on your website. And given the prevalence of password reuse for the general population, attackers can easily harvest real passwords this way.

Not to mention injected ads which used to be very common in the late 2000s.

by kccqzy

5/22/2025 at 1:50:20 AM

Without TLS, people (service providers and intermediaries) can tell what pages I'm reading on your site. They can make the kind of inferences from these that get people convicted at trial.

TLS is more important on sites that are just serving information. It's easy to reconstruct your train of thought as you click around.

Librarians have fought (and lost) to defend our privacy to read.

https://www.ala.org/advocacy/intfreedom/privacyconfidentiali...

by pessimizer

5/22/2025 at 9:53:13 AM

I used to think that, but at this point the Internet is sufficiently hostile that it's everyone's responsibility to encrypt everything all the time to reduce the utility to bad actors to zero.

It's a little bit like using Tor for some of your ordinary browsing (which I do) so that spy agencies can't infer everyone using Tor is doing something wrong.

by immibis

5/22/2025 at 1:01:12 AM

Remember the C-I-A triad of security.

I consider the integrity of messages to-and-from the web to be very important.

Many of us lived through days when ISPs or some other greedy middleman injected ads into unsecured web pages. They played DNS tricks too.

Imagine if you had an app download that could be maliciously modified in-flight.

Furthermore, a certificate can guarantee you’re not connected to an imposter. What if the TFA link was redirected to “abevigoda.com”? Catastrophe!

by AStonesThrow

5/22/2025 at 12:40:21 AM

thankfully its pingable ¯\_(ツ)_/¯

$ ping shouldiblockicmp.com PING shouldiblockicmp.com (52.92.225.139) 56(84) bytes of data.

64 bytes from s3-website-us-west-2.amazonaws.com (52.92.225.139): icmp_seq=1 ttl=241 time=75.3 ms

by rabbitofdeath

5/22/2025 at 1:09:28 AM

No IPv6 though.

  $ ping -6 shouldiblockicmp.com 
  ping: shouldiblockicmp.com: Address family for hostname not supported

by eqvinox

5/22/2025 at 1:14:19 AM

Maybe you should buy shouldiblockicmpv6.com...

by BenjiWiebe

5/22/2025 at 1:29:46 AM

The good thing about that is that I don't have to do that because if you blanket block ICMPv6, IPv6 just won't work at all. No neighbor discovery, no default route ;D

by eqvinox

5/22/2025 at 1:00:44 AM

I unapologetically block ICMP from sources I consider to be trash.

Nothing worth keeping has broken as a result.

by BLKNSLVR

5/22/2025 at 1:04:54 AM

If you consider specific sources to be trash, why would you accept anything from them? Just block them completely…

by eqvinox

5/22/2025 at 1:10:03 AM

Yes, I block them completely, including ICMP.

I also block outgoing to those sources (as destinations).

by BLKNSLVR

5/22/2025 at 6:31:32 PM

There's gotta be a term for what just happened in this thread, because it's something I've seen several times on HN.

Person A makes a statement against X, Person B challenges the statement saying "if you're against X, why aren't you against Y?" when X is a subset of Y, then person A says "I'm against Y too"

It just seems odd to me because the original statement against X is very specific, so it implies that they only dislike A.

To give a simple example, imagine someone saying "I hate red Mazda Miatas" when the truth is that they hate red cars in general. It's just so odd and misleading to be so specific when the truth is far more general.

I think the point I'm trying to make is...if you're blocking ALL traffic, including ICMP, from sources you consider trash, then why would you start the conversation with "I block ICMP"? Why go out of your way to create such a miscommunication? More importantly, how is your general viewpoint even relevant to a topic that's specifically about ICMP?

by Sohcahtoa82

5/22/2025 at 11:15:27 PM

The topic was specifically ICMP, so I addressed that.

I didn't want to stray too far off topic, so I left it at that. I had / have a little project running that detects "uninvited activity" on my systems, and blocks traffic (including ICMP) to and from those sources based on a few rules.

https://github.com/UninvitedActivity/UninvitedActivity

It needs some maintenance, so I sometimes avoid mentioning it.

ICMP can be a special case because of the reasons mentioned in the article and other replies, such is why I addressed it separately from other types of blocking (eg. ports). The main point I wanted to make in my original comment was that my blocking of ICMP from 'trash' sources causes my internet experience no problems; that whilst blanket blocking ICMP may not be a good idea, selective blocking doesn't seem to be a problem.

by BLKNSLVR

5/22/2025 at 8:20:29 PM

I didn't follow up because one of those terms is "having autism". Or rather, I know a person who, understanding why this confuses/riles people, is putting active effort into not doing it, and is saying it's an aspect of autistic behavior for them. Of course autism is hugely variable, but context-related communication problems like this seem relatively common with high-functioning autism (where communication skills are close to the normie spectrum).

Some people just do it to troll, though. It's rather silly, considering they're kneecapping their own communications, but… as with all trolls, non-engagement tends to be the best option.

(So I'm non-engaging for 2 distinct reasons.)

by eqvinox

5/22/2025 at 12:52:14 AM

I don't know people focus on blocking protocols when IP addresses are more useful. I've blocked most of DO's IP address space and it really cleaned up the logs.

by paulnpace

5/22/2025 at 10:17:25 AM

I wish I could block any IP that runs CPanel and Wordpress.

Every time a server is hammering our corporate firewall, I know that if I put it into Shodan, it's going to be running out of date versions of those two. It's rare they come from the same IP block, so at best I can block a /32 if they're a persistent offender.

by chedabob

5/21/2025 at 11:37:18 PM

[dead]

by TacticalCoder

5/21/2025 at 11:39:16 PM

Yes

by MaxGripe

5/21/2025 at 11:50:24 PM

That's why I only use urinals with dividers, to block ICUP

by IAmNotACellist