Block Or Allow Ping

Nadir M · May 8, 2009

So, how many of you block WAN ping on your home router? I keep mine blocked all the time. Supposedly, it protects you from hackers on the net. I did some research to see if it is a real security measure or not. So far I haven't found much on it. So if you could post the reasoning behind your answers and any knowledge you might have on the subject, I would appreciate it!

RichGem · May 8, 2009

toxicbumps said:
So, how many of you block WAN ping on your home router? I keep mine blocked all the time. Supposedly, it protects you from hackers on the net. I did some research to see if it is a real security measure or not. So far I haven't found much on it. So if you could post the reasoning behind your answers and any knowledge you might have on the subject, I would appreciate it!

If you can configure it, the better option is "drop"... ie: don't respond to a ping at all. A "blocked" ping still lets the ping-er know that there's a computer on the other end whereas a "drop" doesn't and therefore is (theoretically) safer for you.

Nadir M · May 8, 2009

Is it great for security's sake to configire to drop? Is there a practical way to set up ping drop on a home router? Also, will it cause glitches in the network when you do this?

soapbox · May 8, 2009

toxicbumps said:
Is it great for security's sake to configire to drop? Is there a practical way to set up ping drop on a home router? Also, will it cause glitches in the network when you do this?

It's better for security to drop all packets that you aren't specifically expecting. Home routers are too varied to say "there's a practical way to set up my home router to drop ping requests" (note: they're sometimes listed as "ICMP" requests). However, you might get the same functionality with a "stealth" mode, or maybe your router does this anyway. Pings can be used maliciously, and of course their primary purpose is to answer the question, "is there a computer there?" which might mark you as a viable target for further vulnerability testing.

It will cause no glitches on the network -- none-- to drop ping packets.

northpaw · May 8, 2009

soapbox said:
It's better for security to drop all packets that you aren't specifically expecting.

That's what I do. Pings included, of course.

RichGem · May 8, 2009

toxicbumps said:
Is it great for security's sake to configire to drop? Is there a practical way to set up ping drop on a home router? Also, will it cause glitches in the network when you do this?

Wiser men than I will have to handle this one. Beyond what I said above, I'm pretty ignorant about internet security config other than GUIed firewalls and such.

beyboo · May 8, 2009

richgem said:
if you can configure it, the better option is "drop"... Ie: Don't respond to a ping at all. A "blocked" ping still lets the ping-er know that there's a computer on the other end whereas a "drop" doesn't and therefore is (theoretically) safer for you.

+1

Nadir M · May 8, 2009

Anyone familiar with dropping the pings through the tomato interface?

ssilcox · May 8, 2009

I'd say above and beyond ICMP requests is to make sure you have a properly secured firewall. The ping requests are just a glorified "Marco" and your computer responds "Polo". If you drop ICMP but have open ports, you are still quite exposed. Make sure you have your firewall up and configured properly, and you wont have to worry about ICMP at all.

Nadir M · May 8, 2009

Anyone here successfully set up qos with tomato and comcast internet?

Nishnabotna · May 8, 2009

Shields Up!
Great place.

arghblech · May 8, 2009

There is no security benefit from blocking ping. Even if you block ICMP I can find out if there is a machine there if *any* port is open.

Trying to hide is stupid and useless. Secure your machines and your networks. Disable any service that you do not need at the given time. That's the only way to really be secure.

rabidpotatochip · May 8, 2009

arghblech said:
There is no security benefit from blocking ping. Even if you block ICMP I can find out if there is a machine there if *any* port is open.

Trying to hide is stupid and useless. Secure your machines and your networks. Disable any service that you do not need at the given time. That's the only way to really be secure.

You're comparing sending and waiting on a few single packets to a full-fledged port scan.

I don't believe security through obscurity is the only type of security you require but I also disagree with the sentiment that it's "stupid and useless". Attacks on your system usually come from one of two sources: 1) script kiddies, people that are just messing around using someone else's tools or 2) organized systems like botnets and malware that aren't going to waste time waiting for a response to a ping, they just try exploiting known weaknesses at every address possible and move on.

In theory, blocking unnecessary traffic will help stop the casual "hacker" from getting into your system, much the same way that locking your front door will stop the casual thief from entering your house. As for the other guys, use a firewall and keep your operating system and anti-virus up to date and you'll keep most of them out too. Current survival time on an unpatched Windows system is around two hours.*

My filter is extremely secure, it blocks all known and unknown attacks... just don't ask what the false positive rate is. :biggrin:

*Oh, and before anybody asks... Survival Time Chart. I picked Windows because most people run it.

soapbox · May 8, 2009

arghblech said:
There is no security benefit from blocking ping. Even if you block ICMP I can find out if there is a machine there if *any* port is open.

Trying to hide is stupid and useless. Secure your machines and your networks. Disable any service that you do not need at the given time. That's the only way to really be secure.

Within reason, you're right (e.g. some scripts only look for certain ports). But security is a many-layered effort. Attention to detail is important.

RichGem · May 8, 2009

rabidpotatochip said:
In theory, blocking unnecessary traffic will help stop the casual "hacker" from getting into your system, much the same way that locking your front door will stop the casual thief from entering your house. As for the other guys, use a firewall and keep your operating system and anti-virus up to date and you'll keep most of them out too. Current survival time on an unpatched Windows system is around two hours.*

well put

My filter is extremely secure, it blocks all known and unknown attacks... just don't ask what the false positive rate is.

OK, I won't ask. But, tell me, what's the root password and IP address? :tongue:

rabidpotatochip · May 8, 2009

RichGem said:
well put

OK, I won't ask. But, tell me, what's the root password and IP address?

Thanks

Root password is "omgponies" & IP address is 127.0.0.1. Better DoS it into submission first though. :tongue:

RichGem · May 8, 2009

rabidpotatochip said:
Thanks

Root password is "omgponies" & IP address is 127.0.0.1. Better DoS it into submission first though.

I'll get right on it! ("there's no place like home. there's not place like home.")

rabidpotatochip · May 8, 2009

RichGem said:
I'll get right on it! ("there's no place like ~~home~~ ~/ there's no place like ~~home~~ ~/")

FTFY.

HTH.

HAND. :biggrin:

RichGem · May 8, 2009

rabidpotatochip said:
FTFY.

HTH.

HAND.

In context, " ~ " would have been sufficient.

:tongue:

GTCY
(glad to correct you :biggrin:

)

rabidpotatochip · May 8, 2009

RichGem said:
In context, " ~ " would have been sufficient.

GTCY
(glad to correct you )

In my world, paths are absolutely absolute. :tongue:

Search

Block Or Allow Ping

Nadir M

RichGem

Nadir M

soapbox

northpaw

RichGem

beyboo

Nadir M

ssilcox

Nadir M

Nishnabotna

arghblech

rabidpotatochip

soapbox

RichGem

rabidpotatochip

RichGem

rabidpotatochip

RichGem

rabidpotatochip

Similar threads