Blocking ICMP echo (ping) to make grc.com happy

Topic

New Reply

When I moved, I had to go from my old Linksys router to a ISP-supplied Sagemcom 5260 Fast; now when I visit Shields Up! at grc.com, it passes every port test but fails ICMP (ping). I made rules to block it for v4 and v6 in Windows Firewall, but still no joy. Questions:

1. Is it the router itself that is responding, and it’s configured that way in the firmware?
2. Read through a few articles on the subject, and the consensus seems to be that “In short, blocking ICMP is detrimental to the successful operation of networks. It will break more than just ping; in fact, many protocols will be neutered if ICMP isn’t working.” True? Is this blocking of ping just an old bogeyman?
3. Is this a “NAT” router, and it’s going to respond to ping no matter what? No mention of “NAT” anywhere in the manual.
4. Shall I leave the new block rules in place and enabled so it can’t get past the Windows software firewall?
5. 5. Or….or…

As you can tell, networking is not my subject; my old PC guru tried pulling me through the other side of the firewall a number of times, but it never ‘took’. I have to take a course and set myself again to learn!

Thanks to all in advance!

Win7 Pro SP1 64-bit, Dell Latitude E6330 ("The Tank"), Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Newbie
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

Reply | Quote

Replies

? says:

you can look in your (advanced) router settings and see if it has a switch to “stealth,” the ipv4. that is what gets me past the GRC ICMP test

Reply | Quote

Stealthing all your router’s ports does NOT disable Ping Reply (ICMP Echo). These are two separate issues. My own Sagemcom FAST 3868 Cable Gateway has the same issue. GRC’s Shields UP! test shows all its ports stealthed yet it fails the test because of the Ping Reply issue. If anyone has the same Gateway (router) and can help me find a setting to disable Ping Reply it will be very much appreciated. Thanks.

Reply | Quote

There is no need to disable ping. It might make you feel better, but it makes no difference to the script kiddies, who scan everything regardless.
The important bit is to have a router that doesn’t respond to anything other than ping, most importantly, requests to logon to the management page.

cheers, Paul

Reply | Quote

(Having dealt with ISP’s and trying to get their equipment locked down for PCI compliance…)

Most likely the ISP has it enabled so they can remotely perform troubleshooting on the equipment – if that’s the case, you most likely won’t be able to shut the door.

You could call them for confirmation but that would be my guess. They usually have ports open so they can remotely connect to the equipment. They most likely will ping the equipment to verify connectivity, which is why it’s open.

1 user thanked author for this post.

Nibbled To Death By Ducks

Reply | Quote

Thanks, Zero! I figgered that was the case. (And #1952573, there is no such switch in the router interface.)

I didn’t _want_ to accept the company modem, but my old beloved Linux-based Linksys wasn’t on their list of approved modems, and I can’t buy a new one currently (senior on fixed/inflation-declining income).

I have read that the old bugaboo about Ping! is no longer as critical factor, as attacks seldom use it, and Gibson’s using it as criteria no longer is as relevant as it used to be. Questions:

1. IS the old bugaboo about Ping being an issue is no longer a factor?
2. Will enabling the blocking of ICMP v4 and v6 at the computer firewall do me any good? My instincts tell me that it would, but it also might keep the ISP from diagnosing any issue that may arise. (I have RDP and all remote control disabled on this machine, so I don’t know what good having them poke around in my machine would do them…and I don’t want them in there anyway…)
3. Does anyone know if this Sagemcom a NAT router?

Inquiring minds want to know… :p

P.S. I would rather eat worms than call my ISP unless I couldn’t deal with it myself…I don’t speak the dialect they use at their call center in Chennai…plus having to go through 12 layers of Tech Support…it feels like I’m playing a 2-hour CG game...”I am the Gatekeeper, are you a Keymaster?” …(Apologies to Ghostbusters.)

Win7 Pro SP1 64-bit, Dell Latitude E6330 ("The Tank"), Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Newbie
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

Reply | Quote

[Nibbled To Death By Ducks]

Erg, Addendum! Hold the presses! “He that seeks, shall find.”

They have this stuff buried pretty good in the menu; I DID find the switch, flicked it, and now Gibson is happy.

Still, being a tyro at networking, I do have to ask if this is going to cause problems with my ISP…the default level for ping was “low”…significance? I was unaware anything else but “off” and “on” was available. And I DON’T want to have to deal with my ISP if I don’t have to, see above.

Also, I’m uploading a few screenshots of the sub-sub-sub menus in this router with this post; (NOTE: The screenshot shows the ping set to “on”; I set it to “off”-it’s the only adjustment I made.) If anyone sees something that would improve security, let me know. I’m very green at this.

The idea is to keep my ISP happy (firmware and security upgrades) and balance that with security.

Many Thanks!

Win7 Pro SP1 64-bit, Dell Latitude E6330 ("The Tank"), Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Newbie
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

• This reply was modified 5 years, 8 months ago by Nibbled To Death By Ducks.
• This reply was modified 5 years, 8 months ago by Nibbled To Death By Ducks. Reason: Sheer Ignorance

Reply | Quote

I’d say UPNP is a no no.

Just because you don't know where you are going doesn't mean any road will get you there.

3 users thanked author for this post.

Alex5723, Nibbled To Death By Ducks, Microfix

Reply | Quote

Steve Gibson has a nice UPNP Utility exactly for this

Windows - commercial by definition and now function...

1 user thanked author for this post.

Nibbled To Death By Ducks

Reply | Quote

OK, even WITH this switch enabled in my router, I pass his UPnP test with flying colors.

Care to explain? :/

Win7 Pro SP1 64-bit, Dell Latitude E6330 ("The Tank"), Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Newbie
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

Reply | Quote

Probably because recent patches fixed the holes – the GRC article is from 2001.

cheers, Paul

1 user thanked author for this post.

Nibbled To Death By Ducks

Reply | Quote

Windows has UPnP, routers also have UPnP
The GRC link to Plug’n’Pray pertains to the Windows UPnP which is enabled by default (all versions)
What you are seeing in ShieldsUP NTDBD, is your router has UPnP disabled deemed safe, however, your windows UPnP is still enabled shown by the Plug’n’Pray utility.
The explanation is also within the link I posted for Plug’n’Pray.

Windows - commercial by definition and now function...

2 users thanked author for this post.

Michael432, Nibbled To Death By Ducks

Reply | Quote

All GRC tests are of the router connected to your ISP. Sometimes your PC will open ports on the router for games etc, but you are effectively not testing your PC.

cheers, Paul

1 user thanked author for this post.

Nibbled To Death By Ducks

Reply | Quote

OK, I disabled Ping completely, and all He** broke loose; speeds slowed, packets looked like they were being dropped, and different devices that receive streaming video started acting up.

Turned it back on, and the issues disappeared.

Is it possible that Ping!, being necessary to certain network bookeeping, is held in check by the router’s “Low” “Medium” “High” and (shudder) “Custom” settings? (I haven’t even opened THAT dialog yet!)

I have heard on other sites that turning off Ping! will break things, and that it’s not the bogeyman it once was, modern tech being more dependent on it and different levels of it being controllable. (?)

Grasshopper only want to inquire of great sages, not insult High Kings of Networking…

 

Win7 Pro SP1 64-bit, Dell Latitude E6330 ("The Tank"), Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Newbie
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

Reply | Quote

Well this is very much not simple and everything depends…

ICMP has plenty of other functions than just ping (ICMP Echo Request / Echo Reply). Things like data packet delivery failure handling and congestion control (data packet too large for this route, send in smaller pieces… etc) are actually most of what ICMP does, and tend to be rather important IF they’re ever needed.

They’re needed every time there’s a heterogenous network boundary with different capabilities (frame size, etc) on different sides.

Blocking just ICMP Echo doesn’t usually hurt much but blocking all ICMP certainly does, especially for bandwidth-optimizing things like video streaming. Some people still insist on blocking all ICMP though…

3 users thanked author for this post.

Michael432, Ascaris, Nibbled To Death By Ducks

Reply | Quote

mn– wrote:

Well this is very much not simple and everything depends…

Ow! OW OW! That’s exactly what I didn’t want to hear…but it’s probably the truth; I’ve known several Windows Networking Gurus to turn into Wetworking Gurus as the whole matter drove them to drink…which may be why I’ve steered clear of the subject as long as I have. My Networking Guru is No Longer With Us, so I guess it’s my turn in the barrel!

Paul T-That’s Windows patches, right?

Microfix, I haven’t downloaded UNPnP or run it on THIS machine, so the router must be sufficiently sophisticated enough to be immune to such a vulnerability, even WITH the UNPnP switch set to “on”. I also don’t run Shields Up!, just the Windows Firewall with Advanced (snort!) Security. Been thinking about Comodo, but like I said, I am woefully unprepared to make an intelligent choice just yet. Have made a few “rules” with WF to keep most of the worst out, but that’s about it.

mn-I get it. Methinks, overall, the Ping! information I have been running on is 20 years outdated (and Mr. Gibson’s website about it may need some updating along with UNPnP, (though he writes some tight code!), and with IPV6 running here I might just as well let ‘er sit on the default “low” (I assume these refer to levels of blocking/access)  it came set with and “foggedabouit”.

Again at the top of this thread, the router is a Sagemcom 5260 Fast 2/5 GHz.

Thanks to all, I hope I have it right…and mn-: next time you’re in SoCal (and survive long enough here, like from the airport to the hotel…(we give medals here for that) you can explain that statement in person…and the drinks are on me!
—
P.S. I guess everyone missed the “Kung Fu” Grasshopper reference…oh well, showing my age, long white beard and staff…

EDITED for language

Win7 Pro SP1 64-bit, Dell Latitude E6330 ("The Tank"), Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Newbie
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

Reply | Quote

Nibbled To Death By Ducks wrote:

Paul T-That’s Windows patches, right?

Yep.

I wouldn’t worry about ping being visible on the internet as long as everything else is clear. Hackers can blast away at you but nothing will hit.

cheers, Paul

2 users thanked author for this post.

Nibbled To Death By Ducks, wavy

Reply | Quote

Well as long as you’re reasonably current on patches… last generally known ping vulnerability was in 2013, IPv6 only. https://www.computerworld.com/article/2483656/microsoft-patch-tuesday–the-ping-of-death-returns–ipv6-style.html

Back in the 90s things were a lot worse, see https://web.archive.org/web/19981206105844/http://www.sophist.demon.co.uk/ping/

And, I’ve seen what can happen when ICMP gets blocked for “security reasons”. At a previous job, with a “standard” ethernet office LAN and a nonstandard “high efficiency” server LAN… and then the router setup was “hidden for security” … well, a whole lot of things stopped working. Servers sent extra large data packets, standard office LAN couldn’t take packets that big so router responded with ICMP type 3 code 4 (as in, data packet too large) … which was then hidden instead of being delivered. So the server received neither acknowledgement nor error, and just tried again with the original large packet…

There’s examples of some other things ICMP does over at https://www.geeksforgeeks.org/internet-control-message-protocol-icmp/

1 user thanked author for this post.

Nibbled To Death By Ducks

Reply | Quote

Here is the solution: access your Sagemcom router (username: admin password:admin), click on the NETWORK tab, click on Basic Settings, click on Services, check the box next to WAN Blocking and click Apply. Run Steve Gibson’s Shields UP! again and you will pass the test with flying colors.

Reply | Quote

Ping is controlled at the modem modem/router.  Disabling ping at the modem does not in any way hamper the ISP’s troubleshooting techniques, as your modem is connected to their modem directly; they don’t need ping.  There is no reason to leave ping enabled.

A ping request is always sent to a specific IP address.  Of course, this can be scripted for multiple addresses, and responding IP addresses directed to a log.  Many folks don’t change the default login credentials for their modem/router.

I advise changing the User ID and password on your modem/router and disabling ping.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

2 users thanked author for this post.

Alex5723, Ascaris

Reply | Quote