1. 8
  1.  

  2. 5

    First paragraph is about no firewall running. Not sure I even want to continue reading…

    1. 4

      First paragraph is about no firewall running. Not sure I even want to continue reading…

      Further along in the article, a firewall is mentioned and it seems the recommendation is to disable ICMP respones which can be annoying.

      1. 5

        Annoying is the least of it - disabling all of icmp breaks networking in subtle ways.

        http://shouldiblockicmp.com/

        1. 7

          It’s even worse for IPv6 where ICMP is used for what ARP is used in v4 and, more importantly, where packets are never fragmented and clients rely on path MTU discovery to determine the largest size packet they can send.

          That also relies on ICMP and those messages absolutely should pass firewalls or we‘ll forever be stuck with the smallest guaranteed packets (1280 bytes which is better than it was in v4. But still)

        2. 1

          Yeah, not sure when I last heard about a real ICMP flood attack, must be 10+ years ago. And no one except AWS disables it (at least I never noticed, except in company networks)…

          1. 2

            It’s quite commonplace for ICMP traffic to be deprioritised below other traffic types by routers—especially with off-the-shelf equipment from many large vendors—but it is, rightly, quite rare to see it filtered altogether these days. Dropping or disabling ICMP can be harmful as it throws away important information that would allow hosts to recover from some network conditions. A prominent example is path MTU discovery.