Should I Block ICMP?
63 comments
·May 21, 2025protocolture
wahern
> Sysadmin: I really dont care what you do
Dropping ICMP breaks path MTU discovery (PMTU). It's the biggest reason why sites break when accessed (or served) over VPNs. This is often mitigated on the server, or in NAT-ing routers, by clamping TCP MSS, but that doesn't really resolve the problem. It doesn't fix it for UDP, nor likely for double VPN scenarios, etc, plus you're just losing bandwidth that way.
Some people make fatalistic arguments that even if they allow ICMP, something downstream may not have, so it's futile. But the networks in the middle rarely if ever block ICMP; those engineers know better. The real issue is on the ends. If you're a sysadmin dropping ICMP, you're half the problem. Fix ICMP on your end, and half the problem goes away. The other half of the problem are those NAT-ing routers, firewalls, and VPNs that don't handle ICMP properly. You can't fix those, but plenty of residential and commercial equipment on the other end, as well as VPN setups, actually do the right thing. Don't make perfect the enemy of better.
protocolture
You are absolutely correct, but also, I am already having to clamp MTU for most business customers anyway, for a hundred reasons.
The issue is that sysadmins make this the ISP's issue anyway. They wont do any kind of investigation but simply yell at the telco. Telcos are ready willing and able to clamp. Its as natural as breathing at this point.
The only thing that gets me is when the some small business refuses to enable ICMP for troubleshooting when they raise a complaint. You have to come to the table at least that far.
Avicebron
> small business refuses to enable ICMP for troubleshooting
Depending on your definition of small business, asking someone "hey can you enable ICMP real quick" is like asking them "hey can you build a rocket ship while skydiving?"
eqvinox
> Residential: Your TP Link […] is probably already blocking icmp for you.
If it does, it generally won't pass telco CPE certification, i.e. Comcast and the likes won't be selling it to you in any bundle. Blocking ICMP Fragmentation Needed / ICMPv6 Packet Too Big is a hard fail on all of those, other message types can vary.
(Source: I work in this area.)
[Ed.: to be clear, there is no single "telco CPE certification"; each telco decides this on their own. A bunch of them form groups/"alliances" though, and a lot of the certification requirements are the same everywhere.]
protocolture
Inbound echo request and echo reply are almost always blocked in my experience.
eqvinox
Which is ≈mostly≈ fine; I'm just saying people in appropriate places (deciding which CPEs get sold to you) have gotten rather touchy about the PMTU bits. And rightfully so!
walrus01
> Your TP Link hyper dreadnought super hawk that is taking up every inch of the 5ghz indoor spectrum in your home is probably already blocking icmp for you. Its probably also already part of a botnet
The more spiky black angular antennas you put sticking up on a router that makes it resemble a science fiction movie arachnid-form robot, the faster it goes. This seems to be the universal design language now.
For routers that consumers purchase themselves, the design language seems to have been optimized to look amazing and cool and grab the attention of someone browsing the aisles at the local Best Buy.
ziml77
I bought a TP Link router to run in AP mode for WiFi 7. It has none of those antennae sticking out. It does have a little grid of LEDs on the front that I have set to the UwU face option though...
alabastervlog
My newest router doesn't have any of that shit and works just as well, with at least as much range, as the one it replaced, which had six(!) of those insectoid antenna things.
I wouldn't be surprised if the damn antennas are just empty. They don't seem to serve any purpose.
protocolture
I wish I knew more about RF engineering to comment, but the impression I get is that they cause more problems with interference than they solve.
isatty
No, don’t block ICMP.
Also, implement ssl because it’s trivial and prevents garbage isps from injecting ads.
Third, how about no ads to begin with?
truekonrads
Path MTU discovery lives off ICMP. Block ICMP and expect connections to fail.
rfl890
Clicked expecting a fat "NO", wasn't even surprised when I saw it.
bastard_op
Blocking ICMP tends to come with blocking ICMP Unreachables, that happens to handle Path MTU Discovery (PMTUD), which you definitely want on if you work around VPN's at all, or certain ISP's that might not allow a full 1500 byte frame. Microsoft loves to particularly set application traffic to Do-Not-Fragment, and this will play chaos on many Microsoft things if PMTUD is disabled around reduced MTU environments.
It's best left on at least inside a private/protected network.
paffdragon
I am not a network engineer, but when I hear ICMP, I associate it with consuming CPU on my shitty router and DDos potential. I only block ICMP for unknown external traffic (response to packets not otherwise blocked by firewall, then aggressively rate limit that) and allow it internally. I used to go overboard in the past and learned how annoying it is to not being able to do a simple ping...
eqvinox
If people can send packets to you, they can DDoS your shitty plastic router CPU regardless of you blocking ICMP or not. And whether your router generates a reply is really ancillary to the question — so long as that reply isn't notably larger than the triggering packet. (Otherwise you're running a reflection amplifier and some people would like to have words with you.)
These days with cheap bandwidth about, the only way to really prevent DDoS is to catch them at the source(s). Hell, I have 25Gbit at home (Init7), I can blow entire small telcos off the internet. Once. Then Init7 terminates my service. And that's really the only thing that can prevent this…
paffdragon
Fair enough. For me personally it's not that big of a concern. I just remember from a previous network monitoring gig that using ICMP had a few problems with rate limiting. But that wasn't my cheap router at stake. It's probably just something that stuck with me and not that relevant in my context anymore.
mmis1000
Block icmp don't even fix the cpu issue though, the router still use cpu to decide which packet should be blocked.
If you really care about the cpu usage, you should drop raw traffic instead (when dos from certain ip is detected)
paffdragon
Indeed. What I meant was that it's cheaper to drop than to generate a reply. But you are right, and I also mentioned in the other reply, that my router wouldn't stand a chance dropping or replying to a DDoS anyway, so probably this concern is not relevant in the home router context.
taikahessu
Should I block port 80?
master_crab
Port 53 isn’t necessary either if you have a good memory for numbers.
aleph_minus_one
Yes. And port 443, too.
tuatoru
Should I disable the fan on my cpu?
Dwedit
In all seriousness, there is fan control software where you can request a speed of 0 when temperature is in a particular range.
LoganDark
Apple Silicon machines do this
gosub100
Yes if the machine is operating in a vacuum.
labster
Only if you leave the spacebar heating config set to off
null
babuloseo
Its like me blocking youtube on hosts file or even on Pihole or related manually. I realize blocking youtube BREAKS a lot of things in the network.
Retr0id
What does blocking youtube break, aside from youtube?
gavinsyancey
There's a YouTube domain that's somehow a load-bearing part of Google's OAuth login flow.
cj
I’ve never understood this (and really would like to). Why on earth does Google redirect to YouTube and then back to Google when logging in…
The only reason I can think of is to sync user session cookies across domains?
guyzero
shouldiimplementssl.com
branon
The explanation I've seen before is that it doesn't really matter for websites that don't _want_ anything from you. No credentials, no login forms, no text entry fields.
Maybe there are edge cases associated with this?
baby_souffle
> The explanation I've seen before is that it doesn't really matter for websites that don't _want_ anything from you. No credentials, no login forms, no text entry fields.
Still worth creating a bit of a shield between you and the site to make it just hat much harder for anybody in the middle to inject anything / change anything.
Back before Lets Encrypt made it inexcusable to not have https, it was a common-ish prank to MITM all the HTTP traffic you could see and do something harmless like rotate images 180 degrees.
timewizard
That also requires either a shared wifi network or ARP spoofing. It's not something that HTTP itself inherently allows.
SAI_Peregrinus
In addition to what everyone else has said, having everything be encrypted means encryption isn't "special", there's no metadata that indicates that the communication contains secret data due to encryption. If people don't encrypt non-sensitive traffic, then sensitive traffic stands out. So there's a sort of civic duty element to enabling TLS (or using encrypted messaging, etc.).
justin_oaks
Without TLS, sometimes still referred to as SSL, a webite's content can be modified by anyone controlling the network path. This includes ISPs and WiFi operators.
Sure, your website may have unimportant stuff on it that nobody relies on, but do you want visitors to see ads in your content that you didn't put there?
crote
> Maybe there are edge cases associated with this?
Plenty. There are a lot of information-only websites where you might want to keep your visit to yourself.
To give an obvious example: some parts of the United States are trying very hard to make abortion impossible. The state government could mandate that ISPs MitM your traffic, and alert the police when you visit a website giving you information about the legal abortion clinics in a neighboring state. Guess you'll be getting a home visit...
The same is going to apply with looking up info on LGBT subjects, civil rights, Tiananmen Square, a religion not explicitly allowed by the state, whether Eurasia has always been at war with Oceania, and so on. Heck, even a seemingly innocent website visit could theoretically come back to haunt you years later. Just some bored scrolling on Wikipedia? Nope, you were planning a crime - why else were you reading pages about chemical warfare during WW I? That neighbor who died due to mixing bleach and ammonia was obviously murdered by you.
If it's unencrypted, you should assume it's being logged by someone nefarious. Are you still okay with it?
kccqzy
The website might not be designed to have credentials or login forms, but now you have allowed attackers to place fake login forms on your website. And given the prevalence of password reuse for the general population, attackers can easily harvest real passwords this way.
Not to mention injected ads which used to be very common in the late 2000s.
pessimizer
Without TLS, people (service providers and intermediaries) can tell what pages I'm reading on your site. They can make the kind of inferences from these that get people convicted at trial.
TLS is more important on sites that are just serving information. It's easy to reconstruct your train of thought as you click around.
Librarians have fought (and lost) to defend our privacy to read.
https://www.ala.org/advocacy/intfreedom/privacyconfidentiali...
AStonesThrow
Remember the C-I-A triad of security.
I consider the integrity of messages to-and-from the web to be very important.
Many of us lived through days when ISPs or some other greedy middleman injected ads into unsecured web pages. They played DNS tricks too.
Imagine if you had an app download that could be maliciously modified in-flight.
Furthermore, a certificate can guarantee you’re not connected to an imposter. What if the TFA link was redirected to “abevigoda.com”? Catastrophe!
rabbitofdeath
thankfully its pingable ¯\_(ツ)_/¯
$ ping shouldiblockicmp.com PING shouldiblockicmp.com (52.92.225.139) 56(84) bytes of data.
64 bytes from s3-website-us-west-2.amazonaws.com (52.92.225.139): icmp_seq=1 ttl=241 time=75.3 ms
eqvinox
No IPv6 though.
$ ping -6 shouldiblockicmp.com
ping: shouldiblockicmp.com: Address family for hostname not supportedBenjiWiebe
Maybe you should buy shouldiblockicmpv6.com...
eqvinox
The good thing about that is that I don't have to do that because if you blanket block ICMPv6, IPv6 just won't work at all. No neighbor discovery, no default route ;D
BLKNSLVR
I unapologetically block ICMP from sources I consider to be trash.
Nothing worth keeping has broken as a result.
ISP: No you should definitely have ICMP available for testing.
SAAS Engineer: Leave it on so I can tell when your shit goes down without having to consult your service status page.
Sysadmin: I really dont care what you do, just enable it when you raise a complaint with your ISP so they can tell you what you broke.
Residential: Your TP Link hyper dreadnought super hawk that is taking up every inch of the 5ghz indoor spectrum in your home is probably already blocking icmp for you. Its probably also already part of a botnet. YMMV.