News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Blocking ICMP echo (ping) to make grc.com happy

    Posted on Nibbled To Death By Ducks Comment on the AskWoody Lounge

    Home Forums Networking – routers, firewalls, network configuration Blocking ICMP echo (ping) to make grc.com happy

    Topic Resolution: Resolved

    This topic contains 15 replies, has 7 voices, and was last updated by  mn– 2 weeks, 5 days ago.

    • Author
      Posts
    • #1952313 Reply

      When I moved, I had to go from my old Linksys router to a ISP-supplied Sagemcom 5260 Fast; now when I visit Shields Up! at grc.com, it passes every port test but fails ICMP (ping). I made rules to block it for v4 and v6 in Windows Firewall, but still no joy. Questions:

      1. Is it the router itself that is responding, and it’s configured that way in the firmware?
      2. Read through a few articles on the subject, and the consensus seems to be that “In short, blocking ICMP is detrimental to the successful operation of networks. It will break more than just ping; in fact, many protocols will be neutered if ICMP isn’t working.” True? Is this blocking of ping just an old bogeyman?
      3. Is this a “NAT” router, and it’s going to respond to ping no matter what? No mention of “NAT” anywhere in the manual.
      4. Shall I leave the new block rules in place and enabled so it can’t get past the Windows software firewall?
      5. 5. Or….or…

      As you can tell, networking is not my subject; my old PC guru tried pulling me through the other side of the firewall a number of times, but it never ‘took’. I have to take a course and set myself again to learn!

      Thanks to all in advance!

      Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", Group "Wait for the all-clear", Multiple Air-Gapped backup drives in different locations, "Don't check for updates-Full Manual Mode."
      --
      "...All the people, all the time..." (Peter Ustinov ad-lib from "Logan's Run")

    • #1952573 Reply

      anonymous

      ? says:

      you can look in your (advanced) router settings and see if it has a switch to “stealth,” the ipv4. that is what gets me past the GRC ICMP test

    • #1952839 Reply

      zero2dash
      AskWoody Lounger

      (Having dealt with ISP’s and trying to get their equipment locked down for PCI compliance…)

      Most likely the ISP has it enabled so they can remotely perform troubleshooting on the equipment – if that’s the case, you most likely won’t be able to shut the door.

      You could call them for confirmation but that would be my guess. They usually have ports open so they can remotely connect to the equipment. They most likely will ping the equipment to verify connectivity, which is why it’s open.

      1 user thanked author for this post.
    • #1953076 Reply

      Thanks, Zero! I figgered that was the case. (And #1952573, there is no such switch in the router interface.)

      I didn’t _want_ to accept the company modem, but my old beloved Linux-based Linksys wasn’t on their list of approved modems, and I can’t buy a new one currently (senior on fixed/inflation-declining income).

      I have read that the old bugaboo about Ping! is no longer as critical factor, as attacks seldom use it, and Gibson’s using it as criteria no longer is as relevant as it used to be. Questions:

      1. IS the old bugaboo about Ping being an issue is no longer a factor?
      2. Will enabling the blocking of ICMP v4 and v6 at the computer firewall do me any good? My instincts tell me that it would, but it also might keep the ISP from diagnosing any issue that may arise. (I have RDP and all remote control disabled on this machine, so I don’t know what good having them poke around in my machine would do them…and I don’t want them in there anyway…)
      3. Does anyone know if this Sagemcom a NAT router?

      Inquiring minds want to know… :p

      P.S. I would rather eat worms than call my ISP unless I couldn’t deal with it myself…I don’t speak the dialect they use at their call center in Chennai…plus having to go through 12 layers of Tech Support…it feels like I’m playing a 2-hour CG game...”I am the Gatekeeper, are you a Keymaster?” Maybe I should just tell them “I’m a God” next time…(Apologies to Ghostbusters.)

      Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", Group "Wait for the all-clear", Multiple Air-Gapped backup drives in different locations, "Don't check for updates-Full Manual Mode."
      --
      "...All the people, all the time..." (Peter Ustinov ad-lib from "Logan's Run")

    • #1953118 Reply

      Erg, Addendum! Hold the presses! “He that seeks, shall find.”

      They have this stuff buried pretty good in the menu; I DID find the switch, flicked it, and now Gibson is happy.

      Still, being a tyro at networking, I do have to ask if this is going to cause problems with my ISP…the default level for ping was “low”…significance? I was unaware anything else but “off” and “on” was available. And I DON’T want to have to deal with my ISP if I don’t have to, see above.

      Also, I’m uploading a few screenshots of the sub-sub-sub menus in this router with this post; (NOTE: The screenshot shows the ping set to “on”; I set it to “off”-it’s the only adjustment I made.) If anyone sees something that would improve security, let me know. I’m very green at this.

      The idea is to keep my ISP happy (firmware and security upgrades) and balance that with security.

      Many Thanks!

      Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", Group "Wait for the all-clear", Multiple Air-Gapped backup drives in different locations, "Don't check for updates-Full Manual Mode."
      --
      "...All the people, all the time..." (Peter Ustinov ad-lib from "Logan's Run")

      Attachments:
      • #1962673 Reply

        wavy
        AskWoody Plus

        I’d say UPNP is a no no.

        🍻

        Just because you don't know where you are going doesn't mean any road will get you there.
        2 users thanked author for this post.
        • #1962685 Reply

          Microfix
          Da Boss

          Steve Gibson has a nice UPNP Utility exactly for this 😉

          ********** Win7 x64/x86 | Win8.1 x64 | Linux Hybrids x64 **********

          1 user thanked author for this post.
          • #1962784 Reply

            OK, even WITH this switch enabled in my router, I pass his UPnP test with flying colors.

            Care to explain? :/

            Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", Group "Wait for the all-clear", Multiple Air-Gapped backup drives in different locations, "Don't check for updates-Full Manual Mode."
            --
            "...All the people, all the time..." (Peter Ustinov ad-lib from "Logan's Run")

            • #1962869 Reply

              Paul T
              AskWoody MVP

              Probably because recent patches fixed the holes – the GRC article is from 2001.

              cheers, Paul

              1 user thanked author for this post.
            • #1963067 Reply

              Microfix
              Da Boss

              Windows has UPnP, routers also have UPnP
              The GRC link to Plug’n’Pray pertains to the Windows UPnP which is enabled by default (all versions)
              What you are seeing in ShieldsUP NTDBD, is your router has UPnP disabled deemed safe, however, your windows UPnP is still enabled shown by the Plug’n’Pray utility.
              The explanation is also within the link I posted for Plug’n’Pray.

              ********** Win7 x64/x86 | Win8.1 x64 | Linux Hybrids x64 **********

              1 user thanked author for this post.
    • #1957105 Reply

      Paul T
      AskWoody MVP

      All GRC tests are of the router connected to your ISP. Sometimes your PC will open ports on the router for games etc, but you are effectively not testing your PC.

      cheers, Paul

      1 user thanked author for this post.
    • #1962788 Reply

      OK, I disabled Ping completely, and all He** broke loose; speeds slowed, packets looked like they were being dropped, and different devices that receive streaming video started acting up.

      Turned it back on, and the issues disappeared.

      Is it possible that Ping!, being necessary to certain network bookeeping, is held in check by the router’s “Low” “Medium” “High” and (shudder) “Custom” settings? (I haven’t even opened THAT dialog yet!)

      I have heard on other sites that turning off Ping! will break things, and that it’s not the bogeyman it once was, modern tech being more dependent on it and different levels of it being controllable. (?)

      Grasshopper only want to inquire of great sages, not insult High Kings of Networking… 🙂

       

      Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", Group "Wait for the all-clear", Multiple Air-Gapped backup drives in different locations, "Don't check for updates-Full Manual Mode."
      --
      "...All the people, all the time..." (Peter Ustinov ad-lib from "Logan's Run")

      • #1962797 Reply

        mn–
        AskWoody Lounger

        Well this is very much not simple and everything depends…

        ICMP has plenty of other functions than just ping (ICMP Echo Request / Echo Reply). Things like data packet delivery failure handling and congestion control (data packet too large for this route, send in smaller pieces… etc) are actually most of what ICMP does, and tend to be rather important IF they’re ever needed.

        They’re needed every time there’s a heterogenous network boundary with different capabilities (frame size, etc) on different sides.

        Blocking just ICMP Echo doesn’t usually hurt much but blocking all ICMP certainly does, especially for bandwidth-optimizing things like video streaming. Some people still insist on blocking all ICMP though…

        1 user thanked author for this post.
        • #1964001 Reply

          Well this is very much not simple and everything depends…

          Ow! OW OW! That’s exactly what I didn’t want to hear…but it’s probably the truth; I’ve known several Windows Networking Gurus to turn into Wetworking Gurus as the whole matter drove them to drink…which may be why I’ve steered clear of the subject as long as I have. My Networking Guru is No Longer With Us, so I guess it’s my turn in the barrel!

          Paul T-That’s Windows patches, right?

          Microfix, I haven’t downloaded UNPnP or run it on THIS machine, so the router must be sufficiently sophisticated enough to be immune to such a vulnerability, even WITH the UNPnP switch set to “on”. I also don’t run Shields Up!, just the Windows Firewall with Advanced (snort!) Security. Been thinking about Comodo, but like I said, I am woefully unprepared to make an intelligent choice just yet. Have made a few “rules” with WF to keep most of the worst out, but that’s about it.

          mn-I get it. Methinks, overall, the Ping! information I have been running on is 20 years outdated (and Mr. Gibson’s website about it may need some updating along with UNPnP, (though he writes some tight code!), and with IPV6 running here I might just as well let ‘er sit on the default “low” (I assume these refer to levels of blocking/access)  it came set with and “foggedabouit”.

          Again at the top of this thread, the router is a Sagemcom 5260 Fast 2/5 GHz.

          Thanks to all, I hope I have it right…and mn-: next time you’re in SoCal (and survive long enough here, like from the airport to the hotel…(we give medals here for that) you can explain that statement in person…and the drinks are on me! 🙂

          P.S. I guess everyone missed the “Kung Fu” Grasshopper reference…oh well, showing my age, long white beard and staff…

          EDITED for language

          Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", Group "Wait for the all-clear", Multiple Air-Gapped backup drives in different locations, "Don't check for updates-Full Manual Mode."
          --
          "...All the people, all the time..." (Peter Ustinov ad-lib from "Logan's Run")

    • #1964072 Reply

      Paul T
      AskWoody MVP

      Paul T-That’s Windows patches, right?

      Yep.

      I wouldn’t worry about ping being visible on the internet as long as everything else is clear. Hackers can blast away at you but nothing will hit.

      cheers, Paul

      2 users thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Blocking ICMP echo (ping) to make grc.com happy

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.