Security risk of WAN ping respond?

A

andymodem

n00b
Joined
Aug 9, 2008
Messages
36
Just picked up the Apple Airport Extreme to replace my DIR-655 and happened to run the ShieldsUP test at GRC.com. Results were fine for all the service ports, but it responds to WAN pings, and that cannot be turned off on the router. Are there any security risks of that I should be concerned about?
 
Depends on what else is open. Assuming a malcious person is scanning the internet for vulnerable hosts, they could start with a ping scan first, then do a port scan on the hosts that responded to ping.

It's not something to freak out about, but it's also something you would want to disable if you could.
 
No security risk, really.

Also really nice to have so you can confirm that your house burning down isn't why you can't access anything remotely. :p
 
In my opinion the "stealth" host concept is over hyped. If nothings listening there is nothing to exploit and it's been a while since any one has been able to remotely exploit the TCP/IP stack on most operating systems so I don't see any thing to be worried about.
 
90% of script kiddies don't care if your device responds to pings or not, they are still gonna scan it, and still gonna try to exploit it. ICMP is a great diagnostic tool; blocking it without a very good reason is a bad idea.
 
Watching my router's logs (I have a Cisco 3725 on my edge), I've seen a lot more port scanning happening if I unblock ICMP from the outside.

Generally, I just allow outside ping responses to a few sources (my peers in the PeerIX Project), and keep everything else blocked.

If I need to allow outside pings, I'll enable it.

But as Vito stated, it depends upon what else is open. I just don't like watching my ports being scanned, even if I'm blocking all of it anyhow. If your ports are secure and you aren't a freak like me with a console window open on one of my machines showing all of my blocked packets, blocking ICMP won't matter.
 
Last edited:
Wait a sec; blocking ping (icmp recho request) is one thing. But if you block ALL icmp, you are a doing yourself more harm than good! Frag needed? Host/port unreachable? TTL exceeded? All very important.
 
Fint said:
Wait a sec; blocking ping (icmp recho request) is one thing. But if you block ALL icmp, you are a doing yourself more harm than good! Frag needed? Host/port unreachable? TTL exceeded? All very important.
Click to expand...
I block everything.. :) then again, I have all my "other features"(IE. CBAC) configured properly as well. Filtering fragments is 100% recommended, most ISP(P) routers filter ICMP fragments anyways as these are generally attacks(hence why fragments are automagically filtered in IPv6). Filtering ALL fragments on the other hand, may not be the brightest idea and I see your point with the other ICMP attribs :D

My .02, filtering ICMP echos from unknown hosts is good practice. You can't exploit something that isn't visible to the common eye. Most attackers being with ping sweeps, so nip the problem in the butt initially so no more enumeration can take place. There is a reason why filtering all unknown ICMP echo req's is still part of the standard security implementation for the DoD. :) Does not filtering pose a security risk? Maybe, but most likely not.
 
^ xphil3 taught me how to set up my CBAC, so my blocking ICMP (except, as mentioned, from specific IPs) hasn't caused me any issues either, at least not that I'm aware of.
 
Nah, I haven't used CBAC in a year or so. I just do permit tcp established, which you bitch at me about.
 
I just had deja vu regarding the 2 posts above, I'm not sure why. :p

I permit tcp established, what's wrong with that?!
 
xphil3 said:
You can't exploit something that isn't visible to the common eye.
Click to expand...

Aka, "If I stick my head in the sand, no body can find me to kick me in the arse!"

Sorry, I disagree. Lets say you have a machine that has a vulnerable web server, but doesn't respond to ICMP_ECHOs. A few script kiddies may try to ping your server, not get a reply, and move on. However, a few won't even bother trying to ping first, and will simply run their script against anything and everything they can. So, in this case, a few may have missed it, but a few will still find it and still pwn your box, while you sit back with a smug smile and think to yourself that you've made the box safer.

repeat after me... "security through obscurity is not security". I need to get that as a tattoo...

Besides.. does your box still respond with a RST or Port Unreachables when they see a SYN sent to a port that isn't listening? Oh look, you've just been "pinged" by a TCP Ping.
 
Fint said:
Aka, "If I stick my head in the sand, no body can find me to kick me in the arse!"

Sorry, I disagree. Lets say you have a machine that has a vulnerable web server, but doesn't respond to ICMP_ECHOs. A few script kiddies may try to ping your server, not get a reply, and move on. However, a few won't even bother trying to ping first, and will simply run their script against anything and everything they can. So, in this case, a few may have missed it, but a few will still find it and still pwn your box, while you sit back with a smug smile and think to yourself that you've made the box safer.

repeat after me... "security through obscurity is not security". I need to get that as a tattoo...
Click to expand...

I think you're getting the wrong idea. We all understand that blocking pings isn't a substitute for a good security policy. But it's a start.

You could choose not to block ICMP at all and you'll get more traffic attempting to get in, but if you have a well-configured security policy then it won't matter.

But, in the interest of reducing that traffic to a minimum, blocking ICMP from outside unknowns helps.

Fint said:
Besides.. does your box still respond with a RST or Port Unreachables when they see a SYN sent to a port that isn't listening? Oh look, you've just been "pinged" by a TCP Ping.
Click to expand...

This is why I only permit TCP established...
 
Last edited:
Fint said:
Aka, "If I stick my head in the sand, no body can find me to kick me in the arse!"
Click to expand...
This made me laugh :p

Fint said:
Sorry, I disagree. Lets say you have a machine that has a vulnerable web server, but doesn't respond to ICMP_ECHOs. A few script kiddies may try to ping your server, not get a reply, and move on. However, a few won't even bother trying to ping first, and will simply run their script against anything and everything they can. So, in this case, a few may have missed it, but a few will still find it and still pwn your box, while you sit back with a smug smile and think to yourself that you've made the box safer.
Click to expand...
Get off your high horse dude, and read the rest of my post. I believe I used the word most, do you need me to define that for you? Its a sad fact that MOST "hackers" are nothing more than skript kiddies, for these folks filtering ICMP echos and putting a good IPS in place to thwart off metasploit attempts is WAY more than enough. You know what dude,

How about this
http://iase.disa.mil/stigs/checklist/
Read the network STIG, notice how filtering of all unknown ICMP echo requests in implemented. ITS GOOD SECURITY PRACTICE! If you think otherwise, you're just being stupid. This is all I was trying to state!
Fint said:
repeat after me... "security through obscurity is not security". I need to get that as a tattoo...
Click to expand...
This made me laugh even harder :rolleyes: I truly hope you're not in any security related field chief. No, a layer approach to security is horrible! Dude, seriously.... use your brain. Perhaps I should have worded that statement that you quoted a bit differently, but I was trying to imply that filtering ICMP would make you unexploitable.... simply that its one added layer of security that must be clearly backed up by others.

Fint said:
Besides.. does your box still respond with a RST or Port Unreachables when they see a SYN sent to a port that isn't listening? Oh look, you've just been "pinged" by a TCP Ping.
Click to expand...
WOW, You can use nmap too! YAY!!!!!!!!!!!!!!!!!! I believe that my answer is in my previous post there too buckaroo.
 
Last edited:
xphil... Knocking off the high and mighty since 1963..


I see a t shirt deal coming some day
 
Damn, I'm coming up on 26... I spent too many years as a gamer and a home PC tech when I could have been getting certifications and running networks...

/cry
 
You must log in or register to reply here.
Back
Top