Disable Ping for Better Inernet Security?

Status
Not open for further replies.
ZeeOSix

ZeeOSix

$100 site donor 2022
Joined
Jul 22, 2010
Messages
40,495
Location
PNW
I did a test using "ShieldsUP" (thanks for the site suggestion Garak in my other thread) in the link below to check security status on the "Most Common and Troublesome Internet Ports".

https://www.grc.com/x/ne.dll?rh1dkyd2

Everything passed, but it said they saw a "Ping Reply" from my computer and suggested that the ping function be disabled in the Window's firewall to add internet security by making your computer non-responsive to incoming pings. Is it worth doing? Would it cause any other issues?

 
Thought ping was for how long it takes or lag? I went to static IP as I am gamer. I guess gaming is better but dynamic is better security?
175mb down, 7.7 up Docsis 3 with Cat6e
 
Originally Posted By: Marco620
Thought ping was for how long it takes or lag?


Their message says: "Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation."

So apparently if you disable the "ping reply" of your computer to any incoming pings, then nobody on the outside can see that your computer is "alive" or "exists".

Only question is ... does that cause other problems with the functionality of the computer on the internet?
 
id say its pointless recommendation.
you cannot hide

the modern attacks now have so much computing power behind them that are all automated and just target everything. They dont need or use ping to filter by ip to a smaller list of targets

Assuming you aren't an isp,your block of ips are used by other subscribers or is already known to be active so they'll just target the whole block.
 
Last edited:
PITA for fault tracing and performance testing across networks when its blocked on routers, IIRC, but I suppose thats unlikely to be your problem.
 
Well, I went to YouTube to see how I could disable the ping reply in the Windows Firewall rules. Followed the instructions, but still get a ping reply and still shows a "Fail" on ShieldsUP. Oh well ... set the firewall settings back to original.
 
Good post SeeoSix ... I think one day I very well may stop ping requests once I read up more. The reason you had the results that you did, once you disabled "ping" it only stops ping within the same network.
To stop "external" ping requests you must turn it off in your router.
I very well may someday when I have the time.

Here is the source, I still have more to read /// Click...

Its pretty indisputable, that blocking ping DOES heighten security, just the fact that Belkin states this adds boat loads of creditability, and only read up on this subject for less then 4 minutes so far.
 
Last edited:
Your router should be your line of defense against external threats. This'll also protect your phone and whatever else. If its incoming ports are closed, they aren't going to ping your specific computer because the pings won't be forwarded.

If you have to have open and forwarding ports because you're running a server or gaming, then you'll need to lock down your specific computer.

The flipside though is you should have your computer on aggressive security settings because routers are getting hacked left and right, and a lot of malware comes in through your browser and then tries moving your info *out*. (You're "pulling" vs them "pushing".)
 
^^^^

Im all done, this is great! Turned off ping request in my router, serves no purpose for us, at least right now. (this is kind of cool)

In the TPLink AC 1750 I checked the following box.

"Ignore Ping Packet From WAN Port - Enable or Disable Ignore Ping Packet From WAN Port. The default setting is disabled. If enabled, the ping packet from Internet cannot access the Router."

Serves no purpose for our home to have it enabled and if ever an issue, as we have many streaming different devices and a separate Router with a VPN to my wifes company, I could just turn it back on. But there will be no reason to turn it back on. I think. Time will tell.
 
Last edited:
OP: If you are behind a router (which you are) then the device GRC is communicating with is your router, not your workstation. Anything you do to modify your software "firewall" settings in Windows will have no effect.

Most WAN-facing residential/SMB gateways have accept PING from WAN enabled by default. This is not a security issue, it simply means that the device responds to an ICMP PING request. Most modern devices also have DOS mitigation, so a PING flood situation is not magically enabled with ping-on-WAN set to true.

Certain ISP's use a periodic PING to determine if a client is still up.

There are far more effective ways to determine the presence of a WAN-facing device on a given public IP address than PING. That router malware that's going around doesn't in any way rely on WAN-facing ICMP responses for example. If you've got a compromised device behind your router calling out, again, dropping WAN-facing ICMP isn't going to help.

One thing you should make sure is disabled however is UPNP, which allows software to request static NAT/PAT mappings, opening ports and forwarding them to hosts inside your network without user intervention.
 
Originally Posted By: OVERKILL
OP: If you are behind a router (which you are) then the device GRC is communicating with is your router, not your workstation. Anything you do to modify your software "firewall" settings in Windows will have no effect.


Makes sense ... networking is something I'm not very knowledgeable about.

Originally Posted By: OVERKILL
One thing you should make sure is disabled however is UPNP, which allows software to request static NAT/PAT mappings, opening ports and forwarding them to hosts inside your network without user intervention.


My modem/router shows UPnP enabled (see below), yet when I did the UPnP Probe test on ShieldsUP it showed no vulnerabilities. Can you shed light on this? Should I change the UPnP settings to "Disable" on my modem/router?



 
It just means that nothing using UPNP inside your network is active, so there are no active mappings. Yes, you should disable it.
 
^^^ Thanks OVERKILL.

Another modem/router setting question. The default IPv4 Firewall settings are shown below. I'm assuming the modem/router firewall is active? There was no indication it could be Enabled or Disabled ... only the Stealth Mode setting. The IPv6 firewall settings however showed it could be set to an "Enable" or "Disable" state.

Wondering if I should set the "Security Level" a notch up from the "Low" setting.

When I tested with the "port probe" test in ShieldsUP it showed all my ports were in "Stealth" status. Yet, the modem/router setting shown below doesn't indicate it was set to Stealth Mode. So whey did ShieldsUP report the tested ports as being in Stealth?

 
Originally Posted By: OVERKILL
Most WAN-facing residential/SMB gateways have accept PING from WAN enabled by default. This is not a security issue, it simply means that the device responds to an ICMP PING request. Most modern devices also have DOS mitigation, so a PING flood situation is not magically enabled with ping-on-WAN set to true.

Certain ISP's use a periodic PING to determine if a client is still up.

There are far more effective ways to determine the presence of a WAN-facing device on a given public IP address than PING. That router malware that's going around doesn't in any way rely on WAN-facing ICMP responses for example. If you've got a compromised device behind your router calling out, again, dropping WAN-facing ICMP isn't going to help.


OVERKILL or anyone else ... is there any issues that might be caused by disabling return ping? If not, seems like it wouldn't hurt to disable it. But if it caused problems then sounds like it's not worth doing ... ??

I just set my modem/router IPv4 firewall to "Stealth Mode" and did the ShieldsUP test again, and it now shows that the "return ping" from my system is no longer there.
 
I'd bump the security setting up to Medium and see if it breaks anything. Also, don't worry about the "stealth mode" garbage.
 
Originally Posted By: ZeeOSix
Originally Posted By: OVERKILL
Most WAN-facing residential/SMB gateways have accept PING from WAN enabled by default. This is not a security issue, it simply means that the device responds to an ICMP PING request. Most modern devices also have DOS mitigation, so a PING flood situation is not magically enabled with ping-on-WAN set to true.

Certain ISP's use a periodic PING to determine if a client is still up.

There are far more effective ways to determine the presence of a WAN-facing device on a given public IP address than PING. That router malware that's going around doesn't in any way rely on WAN-facing ICMP responses for example. If you've got a compromised device behind your router calling out, again, dropping WAN-facing ICMP isn't going to help.


OVERKILL or anyone else ... is there any issues that might be caused by disabling return ping? If not, seems like it wouldn't hurt to disable it. But if it caused problems then sounds like it's not worth doing ... ??

I just set my modem/router IPv4 firewall to "Stealth Mode" and did the ShieldsUP test again and it shows the return ping is not longer there.


No, generally it won't cause issues, it just isn't of benefit either.
 
Deleted post ... you answered it above while I was typing this post. Thanks OVERKILL ... good to have a network expert in this forum.
grin2.gif
 
Originally Posted By: OVERKILL
It just means that nothing using UPNP inside your network is active, so there are no active mappings. Yes, you should disable it.


Should both the UPnP and UpnP NAT-T be disabled? Right now, both show as "Enabled" on my modem/router.

Will setting these to "Disable" cause any headaches down the road, like if I need to setup a wireless device (cell phone, smartTV, etc) up to use my modem/router?
 
Status
Not open for further replies.

Similar threads

StevieC
  • Locked
Setup a BitDefender Box
Replies
10
Views
2K
bobdoo
OVERKILL
  • Locked
Meraki MX64 Firewall - Review
Replies
2
Views
2K
OVERKILL
OVERKILL
  • Locked
Router review - Cisco ASA 5506W-X w/FirePOWER
Replies
8
Views
6K
Rand
V
  • Locked
Which computer is the better bet?
2 3
Replies
46
Views
24K
ToyotaNSaturn
J
  • Locked
Vista and XP wireless network w/ printer sharing
Replies
2
Views
1K
Julian
Back
Top